Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How to Use Twitter for Information Mining

Published: 2009-01-21
Last Updated: 2009-01-22 14:45:41 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

Twitter is fun. It's also a powerful research tool. People increasingly use Twitter to share advice, opinions, news, moods, concerns, facts, rumors, and everything else imaginable. Much of that data is public and available for mining.

Here's how to use Twitter to gather useful information about topics, companies, and individuals. (Some call this practice "twittermining.") I'll cover native Twitter features, as well as third-party tools with catchy names, such as 5and2fish, Twitter Venn, TwitterFriends, PeopleBrowsr , Twitturly, Twitter Spectrum, and others.

Most of the techniques mentioned here don't require you to be a registered Twitter user. If you use Twitter, consider what data tidbits you release there, and whether you need to be more careful.

Twitter Essentials

If you're new to Twitter, watch Common Craft's Twitter in Plain English video. You may also like the Twittering Tips for Beginners article from the NY Times.

While some people tweet about mundane happenings like "Heading to work," many use Twitter for micro-blogging more meaningful updates. Also, inherent to Tweeter is its ability to encourage and capture conversations that span themes, time and geographies.

Google is great for sifting through standard web pages and official news. It's OK for searching blogs, though many prefer specialized services such as Technorati. None of these services match Twitter's access to an unfiltered, real-time perspective on what people are thinking and doing. (IMHO)

Research Emerging Topics

Twitter allows you to search what its users are saying right now, even when "traditional" data sources are of little help. For instance, when the US Airways #1549 plane crashed the other week, you could read about it immediately on Twitter before CNN had coverage of the event. You could observe the news spread like wildfire in Twitterspace.

Interested in following general information security topics? Search for "security information OR data". Want to track a worm? Search for its names: "Downadup OR Conficker". When researching a wave of Roundcube 0-day vulnerability scans for an earlier diary, I used Twitter's search to scope the problem.

By convention, Twitter users tometimes add topic metadata to their tweets by using a hashtag, a.k.a tracker keyword. If I were tweeting about malicious software, I might add "#malware" to my message. Hashtags help you track a particular topic by searching Twitter for the desired keyword, e.g. "#malware". You can also track hashtags via the Hashtags site.

Research Your Company and Competition

You can use Twitter to keep an eye on what people are saying about your organization, or to track your competitors. For instance, you may search Twitter's messages for the company's name, e.g. "SANS Institute". You may also want to search for the name of your industry or sector: "security AND training".

If the company you'd like to track has a Twitter account, you may want to follow it. Many major brands are active on Twitter in an official capacity. If they're not, you can look for company employees that tweet using personal accounts. (If interested in competitive intelligence gathering, see my earlier note about LinkedIn.)

Visualize Twitter Topic Data

Use Twitter Venn to understand relationships between concepts. It lets you enter 2 or 3 keywords, then searches Twitter for them, and draws overlapping circles that indicate tweets with those keywords. For example, using this tool to search for "coke,pepsi" shows what Twitter users are saying about each drink. Of particular interest is the area where the circles overlap, because those tweets mention both drinks in one message. For enothe, you can examine phishing trends by searching for "phishing,mail,phone".

Use Twitter StreamGraph to understand what words were associated with a particular keyword over time. For instance, searching for "security" can help you understand the concepts Twitter users tied to this term; clicking on each "wave" of the StreamGraph will show you the associated tweets. To understand the words associated to two different concepts, use Twitter Spectrum; for example, try searching for "unix,windows" to see what people are saying about each OS.

To visually search tweets within a geographic area, use 5and2fish, a mash-up between Twitter and Google. If you find this service too slow, use Twitter's advanced search to limit query by location. You can also use the TwitterLocal application to watch public geo-tagged tweets for a location.

Research Individuals

Use Twitter's search to locate all tweets that mention a person's name. Even if the person doesn't have a Twitter account, but is being discussed on Twitter, such a search will yield results. Twitter's advanced search also lets you locate messages from and/or to specific people; for this, you need to specify the individuals' Twitter usernames.

When you know the person's name, you can find his or her Twitter account from Twitter's Find People page, if the person's Twitter profile includes the name. Once you located the stream of the person you wish follow, click the Follow button on their Twitter page. (Here's mine.) Note that some people protect their updates to control who may see them.

To see which URLs a person shared on Twitter, use Twitturly. To search Twitter bios of the individuals who follow a particular person, use TweepSearch.

To track a person's feeds across multiple social networking sites, consider FriendFeed. It can collect data from Twitter, Facebook, LinkedIn, YouTube, and many others. You can search FriendFeed, similarly to Twitter. Some people who protect their updates on Twitter choose to expose them on FriendFeed.

Analyze and Visualize Twitter People Data

Several on-line tools can help you analyze and visualize public data about a Twitter user. For instance, TweetStats can show you when the person tweets and how often, which Tweeter clients he or she uses, and which words come up frequently in the tweets.

When profiling a Twitter user, examine the person's relationships: whom he follows and who follows him. Previously-mentioned Twitter Venn can help you understand the relationship between sent and received messages between Tweeter users if you use "from:" and "to:" tags in your search, such as "to:lennyzeltser,from:lennyzeltser".

To compare the words two Twitter users include in their messages, use the previously-mentioned Twitter Spectrum search, crafting the query in the form "from:user1,from:user2".

Another tool, TwitterFriends, can help you see who the person interacts with and how; it also lets you compare one Tweeter user's stats to another's.

TweetWheel helps you understand which of the Tweet user's followers know each other. It does this by creating a beautiful wheel that highlights the persons' Twitter ties to each other.

Track Data With Alerts and Dashboards

Twitter automatically generates an RSS feed for a particular user's update stream and for Twitter search results. If you'd rather receive email notifications, consider signing up for Twilert.

When following a lot of people or search results on Twitter, you can easily get overwhelmed even when using an RSS or an email reader. In this case, consider a popular Twitter client TweetDeck. It lets you create a dashboard that splits Twitter updates into separate column according to your criteria.

An up-and-coming competitor to TweetDeck is PeopleBrowsr, which offers similar features via a website, without requiring a local application. PeopleBrowsr also supports other social networks, such as Facebook and LinkedIn, in addition to Twitter. As of this writing, PeopleBrowsr is in alpha; it’s a bit rough around the edges, but looks very promising.

Be Mindful as You Research and Tweet

As you gather information on Twitter, be mindful of others attempting to manipulate you into arriving at their conclusions by feeding you misinformation. Cross-check data and understand its sources. For more on this, see Is Twitter A Market Manipulator's Dream on the TwiTip blog. If the topic of reputational attacks interests you, also look at the SpinHunters blog.

If using Twitter to share information and stay in touch with your friends, be mindful of how others might misuse what you reveal about yourself, others, or your company. In the words of Wired magazine's Steven Levy, "No matter how innocuous your individual tweets, the aggregate ends up being the foundation of a scary-deep self-portrait. It's like a psychographic version of strip poker--I'm disrobing, 140 characters at a time."

Liked this? Post it to Twitter!

-- Lenny

Lenny Zeltser - Security Consulting

You're welcome to follow Lenny on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.

Keywords:
0 comment(s)

Vulnerabilities on Cisco and Apple products

Published: 2009-01-21
Last Updated: 2009-01-21 21:33:36 UTC
by Raul Siles (Version: 2)
0 comment(s)

A new set of vulnerabilities has been announced for Cisco and Apple products:

Cisco:

Apple:

Time to review the advisories and update. Thanks to fellow handler Jim for the heads up.

--
Raul Siles
www.raulsiles.com

Keywords: apple cisco
0 comment(s)

Traffic increase for port UDP/8247

Published: 2009-01-21
Last Updated: 2009-01-21 15:18:12 UTC
by Raul Siles (Version: 3)
0 comment(s)

We got reports of a significant traffic increase associated to port UDP/8247 starting yesterday. Thanks to Ian and John for the early warning.The peak can be seen in our Dshield graphs too. It seems to be related with CNN's streaming service broadcasting the Obama events mentioned in yesterday's ISC diary. Based on multiple reports, CCN seems to be using Octoshape's P2P plug-in with Flash.

The traffic looks like P2P based on the number of endpoints, one or both end ports are UDP/8247, and the packet size seems to be constant (streaming traffic). In the samples we got it has a UDP payload of 1043 bytes.

the purpose of this diary is to let you know this activity is going on. Having said that, please, do not simply ignore this kind of traffic because of this diary. It would be easy for an attacker to hide his actions on this port if we simply ignore it.

--
Raul Siles
www.raulsiles.com

UPDATE: A couple of reference, here and here, about how Octoshape's Flash tool looks like from the end user perspective.

Keywords: player ports traffic
0 comment(s)

NMAP Trivia ANSWERS: Mastering Network Mapping and Scanning

Published: 2009-01-21
Last Updated: 2009-01-21 13:48:13 UTC
by Raul Siles (Version: 1)
0 comment(s)

Three weeks ago we published the NMAP Trivia challenge. Thanks to all ISC readers that submitted their responses! A special mention goes to the winning entry from Jason DePriest, an extensive and elaborated submission, available here. Congratulations! The prize (technical book) is on his way! ;)

Jon Kibler provided an in-progress nmap idea for a new features, a scan proxy engine equivalent to the FTP bounce scan to scan through HTTP or SOCKS.

Now... it is time for the answers:

1. What are the default target ports used by the current nmap version (4.76)? How can you change the target ports list? What (nmap) options can be used to speed up scans by reducing the number of target ports and still check (potentially) the most relevant ones? How can you force nmap to check all target ports?

Fyodor performed a thorough port scan research this last summer to identify the most common ports available on the Internet [1]. The current nmap version scans by default the 1000 most popular ports. The popularity of each port is coded inside the nmap-services configuration file (by default under /usr/local/share/nmap).

...
unknown 4/tcp   0.000477
rje     5/udp   0.000593        # Remote Job Entry
unknown 6/tcp   0.000502
echo    7/tcp   0.004855
echo    7/udp   0.024679
unknown 8/tcp   0.000013
...


Nmap provides an option for quick scans, "-F". It scans the 100 most popular ports, reducing the default load in one order of magnitude. Additionally, you can decide how many popular ports you want to scan through the "--top-ports N" option, where "N" is the top number of ports.

# ./nmap -F  scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 10:44 GMT
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 95 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  closed smtp
53/tcp  open   domain
80/tcp  open   http
113/tcp closed auth

Nmap done: 1 IP address (1 host up) scanned in 4.04 seconds

# ./nmap --top-ports 5  scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 10:44 GMT
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT    STATE    SERVICE
21/tcp  filtered ftp
22/tcp  open     ssh
23/tcp  filtered telnet
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds

Finally, nmap allows you to define the specific set of ports to scan through the "-p" option, as in "-pT:22,80,443,U:53,69,514". All ports, including port 0, can be scanned by providing the "-p0-" option, meaning from 0 till the end of the range, that is, port 65535. You need to specify if they are TCP or UDP ports, or both ("-sSU").

# nmap -p0- scanme.nmap.org

[1] http://insecure.org/presentations/BHDC08/
 

2. How can you force nmap to scan a specific list of 200 target ports, only relevant to you?

If you don't want to scan the most popular ports, you can tell nmap what particular list of ports to scan by specifying them with the "-p" option, one by one or in ranges, like in "-p 20-23,25,80,443". Because this can be too tedious for long lists of ports, the recommended way is to copy and edit the "nmap-services" file and create a custom version containing your list of interesting ports. The new custom file can be referenced using the "--servicedb" (for individual files) or "--datadir" (for the configuration files directory) options, as in:

# nmap --datadir ./myconfig scanme.nmap.org

If your custom file contains more than 200 target services, then you can use the "--top-ports 200" option again. The specific file and directory search order followed by nmap is detailed on page 370 of the  nmap book: http://nmap.org/book/data-files-replacing-data-files.html.


3. What is the default port used by nmap for UDP ping discovery (-PU)? Why? If you don't know it from the top of your head ;), how can you easily identify this port without using other tools (such as a sniffer) or inspecting nmap's source code?

By default, nmap sends an empty UDP packet to port UDP/31338 for the UDP ping discovery method ("-PU"). The reason is that there is a high chance this random high port is closed. This is the preferred state expected by nmap trying to elicit an ICMP port unreachable packet in return and, as a result, identify the existence of a new host. The port number is defined in nmap.h, specifically in the DEFAULT_UDP_PROBE_PORT_SPEC constant. Did you notice it is 31337 plus 1, the elite port (31337 in haxor speech) plus one.

Currently, nmap provides the "--packet-trace" option to gather detailed information about the network traffic and individual packets sent and received during its operations. Effectively, this option acts as a built in sniffer, very useful to get details about what nmap is doing on the backstage.

# nmap -PU --packet-trace scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 10:58 GMT
SENT (0.6580s) UDP 192.168.166.166:59676 > 64.13.134.52:31338 ttl=58 id=45958 iplen=28
SENT (1.6560s) UDP 192.168.166.166:59677 > 64.13.134.52:31338 ttl=59 id=46599 iplen=28
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 2.68 seconds


4. When nmap is run, sometimes it is difficult to know what is going on the backstage. What two (nmap) options allow you to gather detailed but not overwhelming information about nmap's port scanning operations? What other extra (nmap) options are available for ultra detailed information?

The first of the options has been mentioned and used on the previous question, "--packet-trace". It allows to get a tcpdump-like output about packets sent and received. Additionally, nmap provides the "--reason" option to display the reason why a port has been clasiffied on an specific state: open, closed, filtered, etc.

# nmap -F -sSU --reason scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 11:00 GMT
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 99 open|filtered ports, 96 filtered ports
Reason: 194 no-responses and 1 admin-prohibited
PORT    STATE  SERVICE REASON
22/tcp  open   ssh     syn-ack
25/tcp  closed smtp    reset
53/tcp  open   domain  syn-ack
80/tcp  open   http    syn-ack
113/tcp closed auth    reset

Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds

# nmap -F -sU --reason scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 11:02 GMT
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 99 open|filtered ports
Reason: 99 no-responses
PORT    STATE    SERVICE REASON
520/udp filtered route   admin-prohibited from 192.168.15.1

Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds

For those interested on gathering as much information as possible about nmap's operations, the "-v" verbosity option, or the "-dN" debugging option are available. These options specify nmap to be verbose (multiple verbosity levels are allowed), or the nmap debug level for troubleshooting purposes, where N can have a value between 1 and 9. Be careful when you use it! Try it and be ready for a Matrix-like output 8-)

# nmap -p80 -sS -v scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 11:07 GMT
Initiating Ping Scan at 11:07
Scanning 64.13.134.52 [2 ports]
Completed Ping Scan at 11:07, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:07
Completed Parallel DNS resolution of 1 host. at 11:07, 0.24s elapsed
Initiating SYN Stealth Scan at 11:07
Scanning scanme.nmap.org (64.13.134.52) [1 port]
Discovered open port 80/tcp on 64.13.134.52
Completed SYN Stealth Scan at 11:07, 0.26s elapsed (1 total ports)
Host scanme.nmap.org (64.13.134.52) appears to be up ... good.
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT   STATE SERVICE
80/tcp open  http

Read data files from: .
Nmap done: 1 IP address (1 host up) scanned in 6.13 seconds
           Raw packets sent: 3 (112B) | Rcvd: 2 (72B)


# nmap -p80 -sS -d1 scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 11:08 GMT
--------------- Timing report ---------------
  ...
---------------------------------------------
Initiating Ping Scan at 11:08
Scanning 64.13.134.52 [2 ports]
...
Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds
           Raw packets sent: 3 (112B) | Rcvd: 2 (72B)

Try it by your own! ;)


5. What are the preferred (nmap) options to run a stealthy TCP port scan? Particularly, try to avoid detection from someone running a sniffer near the person running nmap and focus on the extra actions performed by the tool (assuming the packets required to complete the port scan are not detected)?

Most current network IDS can detect the default packets generated by nmap when port scanning a target. We are assuming here these cannot be detected, so a stealthier scan can be launched by using the "-n" option (not used in any of the Nmap Trivia examples), that is, disable all reverse DNS resolution at the nmap level. Most Unix-based security tools provide this same option for the same purpose.

# nmap -F -n scanme.nmap.org

However, this way you lose the sometimes valuable DNS information. You can use the "--dns-servers" option to indicate the DNS recursive servers to use as DNS proxies when analyzing the target IP address.
More stealthier details on answer number 12.

6. Why port number 49152 is relevant to nmap?

Port 49152 is the first of the ephemeral ports for dynamic usage based on IANA. However, the port assignment depends on the implementation of your tools or operating system. See http://www.iana.org/assignments/port-numbers:
- The Well Known Ports are those from 0 through 1023
- The Registered Ports are those from 1024 through 49151
- The Dynamic and/or Private Ports are those from 49152 through 65535

7. What is the only nmap TCP scan type that classifies the target ports as "unfiltered"? Why? What additional nmap scan type can be used to discern if those ports (previously identified as "unfiltered") are in an open or closed state?

The only nmap scan type that can show a port in the "unfiltered" state is the TCP ACK scan, "-sA" option. The reason is because this scan cannot differentiate between an open and closed port, as a target hosts (if unfiltered) will always reply with a RST packet. This is the standard behaviour for a closed port, and is also standar for an open port for which there is not a previously established connection to map the ACK packet to. Therefore, nmap's ACK scan cannot be considered a port scan, as it cannot differentiate between port states, but a host discovery scan.

The TCP Window scan, "-sW" option, is similar to the TCP ACK scan, but it can differentiate between open and closed ports is some scenarios.

8. When (and it what nmap version) the default state for a non-responsive UDP port was changed on nmap (from "open" to "open|filtered")? Why?

The default state for a non-responsive UDP port was changed (from "open" to "open|filtered") on nmap version v3.70 in 2004. The reason was accurancy, as extensive use of filtering devices by that time made filtered UDP ports always appear as open in previous nmap versions.

9. What is the default scan type used by nmap when none is specified, as in "nmap -T4 scanme.nmap.org"? Is this always the default scan method? If not, what other scan method does nmap default to, under what conditions, and why?

The current nmap version performs a TCP SYN scan ("-sS" option) by default when no scan type is specified. However, this is only the default behavior when nmap is launched as a privileged user (eg. root in Linux). The TCP connect scan, "-sT" option (connect() syscall), is used by default with non-privileged users as these cannot send raw packets (used by the SYN scan) or if there are IPv6 targets.

# ./nmap -PN -p80,81 --packet-trace scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 11:22 GMT
...
SENT (0.3730s) TCP 192.168.166.166:56464 > 64.13.134.52:80 S ttl=50 \
    id=8102 iplen=44  seq=1698869517 win=3072 <mss 1460>
SENT (0.3740s) TCP 192.168.166.166:56464 > 64.13.134.52:81 S ttl=43 \
    id=48226 iplen=44  seq=1698869517 win=4096 <mss 1460>
RCVD (0.6120s) TCP 64.13.134.52:80 > 192.168.166.166:56464 SA ttl=48 \
    id=0 iplen=44  seq=2849983456 win=5840 ack=1698869518 <mss 1452>
RCVD (1.9570s) TCP 64.13.134.52:80 > 192.168.166.166:40972 SA ttl=48 \
    id=0 iplen=44  seq=2805666242 win=5840 ack=2103880733 <mss 1452>
SENT (2.5730s) TCP 192.168.166.166:56465 > 64.13.134.52:81 S ttl=55 \
    id=14744 iplen=44  seq=1698935052 win=4096 <mss 1460>
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT   STATE    SERVICE
80/tcp open     http
81/tcp filtered hosts2-ns

Nmap done: 1 IP address (1 host up) scanned in 3.79 seconds

$ ./nmap -PN -p80,81 --packet-trace scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 11:25 GMT
...
CONN (0.1290s) TCP localhost > 64.13.134.52:80 => Operation now in progress
CONN (0.1290s) TCP localhost > 64.13.134.52:81 => Operation now in progress
CONN (2.3510s) TCP localhost > 64.13.134.52:81 => Operation now in progress
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT   STATE    SERVICE
80/tcp open     http
81/tcp filtered hosts2-ns

Nmap done: 1 IP address (1 host up) scanned in 3.57 seconds

 

10. What nmap features (can make or) make use of nmap's raw packet capabilities? What nmap features rely on the OS TCP/IP stack instead?

Nmap makes use of the raw packet capabilities by default, "--send-eth" option, as demonstrated in the previous question for some features, such as TCP and UDP port scans launched by privileged users (except for the connect scan and the FTP bounce scan), or fragmentation probes. Other features like the Nmap Scripting Engine and version detection relay on the OS TCP/IP stack.

11. Nmap's performance has been sometimes criticized versus other network scanners. What (nmap) options can you use to convert nmap into a faster, stateless scanner for high performance but less accurate results?

If the congestion controls and packet loss detection algorithms are omitted, a scanner will run faster. Nmap can achieve a similar behaviour as stateless scanners, no code to track and retransmit probes, using the following options:

# ./nmap --min-rate 1000 --max-retries 0 ...

These indicate nmap to send at least 1000 packets per second (if your system or wire can) and disable retransmission of timed-out probes. However, take into account the impact this might have in the accurancy of the results.

# ./nmap -PN -n --min-rate 1000 --max-retries 0 -F scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 12:08 GMT
Warning: Giving up on port early because retransmission cap hit.
Interesting ports on 64.13.134.52:
Not shown: 95 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  closed smtp
53/tcp  open   domain
80/tcp  open   http
113/tcp closed auth

Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds

12. What relevant nmap feature does not allow an attacker to use the decoy functionality (-D) and might reveal his real IP address?

Apart from the previously mentioned "-n" option to run stealthier scans and avoid IDS detection, there are other related options, such as "--data-length", to change the default empty packet used for some probes, "--ttl" to modify the TTL on the sent packets, timing options ("-T"), "--randomize-hosts" to change the order the target hosts are scanned, or "-D" to launch a decoy scan (simulate the scan is coming from multiple hosts).

Decoys are used in the ping discovery, port scanning, and remote OS detection phases. However, this feature does not apply when DNS queries or service version detection ("-sV" or "-A") are used, being the source IP address disclosed.

13. What are the (nmap) options you can use to identify all the steps followed by nmap to fingerprint and identify the Web server version running on scanme.nmap.org?

# ./nmap -sSV -p80 --version-trace scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-21 12:17 GMT
...
SCRIPT ENGINE: Initiating script scanning.
SCRIPT ENGINE: Script scanning scanme.nmap.org (64.13.134.52).
SCRIPT ENGINE: Initialized 4 rules
SCRIPT ENGINE: Matching rules.
SCRIPT ENGINE: Running scripts.
SCRIPT ENGINE: Script scanning completed.
Scanned at 2009-01-21 12:17:57 GMT for 8s
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.2 ((Fedora))
Final times for host: srtt: 238764 rttvar: 179294  to: 955940

Read from .: nmap-rpc nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.17 seconds


The "-sSV" option allows you to focus on a TCP scan type (SYN scan in this case, "-sS"), and fingerprint the service ("-sV"). In order to just target the web server (supposing HTTP (TCP/80) is the target port, and not HTTPS (TCP/443)), the "-p80" option must be used.

The "--version-trace" option is similar to the "--packet-trace" option, but instead of dumping the network traffic, it dumps all the actions or steps performed by nmap during the execution of the service fingerprinting modules. Additionally, other debug options ("-dN") can be added to gather further details.

14. As an attacker, what port number would you select to hide a listening service backdoor trying to avoid an accurate detection by nmap's default aggressive fingerprinting tests? Would it be TCP or UDP? Why? What additional (nmap) options do you need to specify as a defender to fingerprint the hidden service backdoor?

If a port in the range of TCP/9100-9107 is selected for a backdoor, due to the fact these are common ports for printer services, nmap won`t fingerprint the service. These ports are excluded by default on the service fingerprinting tests ("-sV") or aggressive scan options ("-A") trying to save the planet, trees and forests specifically, by not making printers dump dozens of pages full of nmap probes and garbage as a result of the stimulous received from the scan.

If you want to enable service fingerprinting on all ports, there are two options. The "--allports" option can be specified, as in "nmap -A --allports", or the nmap-service-probes file can be modified to enable these ports by removing the "Exclude" directive.
 

15. What is the language used to write NSE scripts, and what two other famous open-source security tools/projects currently use the same language?

Nmap uses the LUA (www.lua.org) programming language. LUA (pronounced LOO-ah) means "Moon" in Portuguese, or "Luna" in Spanish ;) Other famous open-source security tools, like Wireshark and Snort use LUA to extend their capabilities.
 

16. What Linux/Windows command can you use to identify the list of NSE scripts that belong to the "discovery" category and will execute when this set of scripts is selected with the "--script discovery" nmap option?

By default, NSE scripts are available under the "scripts" directory (however, nmap searched in other locations too: --datadir, $NAMPDIR, etc), with the ".nse" file extension. All NSE scripts belong to one or more categories, define inside the script, and indexed by the scripts/script.db database (if updated through the "--script-updatedb" option).

Therefore a couple of options to search for discovery scripts in Linux are:

# grep discovery scripts/*.nse
scripts/ASN.nse:categories = {"discovery", "external"}
scripts/HTTP_open_proxy.nse:categories = {"default", "discovery", "external", "intrusive"}
scripts/HTTPtrace.nse:categories = {"discovery"}
...

# grep discovery scripts/script.db
Entry{ category = "discovery", filename = "HTTPtrace.nse" }
Entry{ category = "discovery", filename = "rpcinfo.nse" }
Entry{ category = "discovery", filename = "SMTPcommands.nse" }
...

You can perform a similar search in Windows using the built-in search capabilities (searching by "A word or phrase in the file" to look inside the directory) or the find or findstr commands (to search within a file or set of files).

17. How can you know the specific arguments accepted by a specific NSE script, such as those accepted by the whois.nse script?

In order to identify the arguments that can be passed through the "--script-args" option to a NSE script, eg. whois.nse, check the documentation or code within the script file. If it is properly documented, search by "-- @args" to go to the arguments documentation section.

Finally, a couple of extra questions for the real nmap-lovers:

  1. How can you get in real-time the open ports discoverd by nmap before the final report is displayed?
  2. What happens when you run nmap in verbose mode on September 1?

That's all folks! Happy nmap discovery and scanning!

--
Raul Siles
www.raulsiles.com

Keywords: nmap
0 comment(s)
Diary Archives