Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Remember This Just because a target is vulnerable, doesnt mean it must be exploited!NMAP and network scanning
| Vulnerability Scanners Red Teams do not commonly use vulnerability scanners. These tools generally tend to be loud and to generate a tremendous amount of traffic. Vulnerability identification by a Red Team focuses on OSINT, low and slow enumeration, intelligent guessing, or other non-intrusive methods. There are cases where vulnerability scanners are useful. For example, a Red Team has identified a web application built on Joomla with paths to a Red Team's goals. They would like to know if the version of Joomla is vulnerable. A standard vulnerability scanner could be employed, but this could be overkill fora single application. Instead, the team may tune a vulnerability scanner to check fora small set of Joomla-based flaws. Using a focused scan would minimize exposure. They could also manually extract version information from the web application. In any case, caution should betaken before running a vulnerability scanner to reduce exposure. If more intrusive scanning is needed, performing the scan from a burnable source that is dedicated to louder activities would protect more sensitive sources from being exposed. In the end, the choice of when or how to use a vulnerability scanner comes to risk. Think about the following before running a vulnerability scanner: ● Does the risk of exposure from running a generally loud tool outweigh the potential knowledge learned? ● Are there other ways to identify a vulnerability without using the automated scanner? ● Will exploitation of a vulnerability provide a path that is beneficial to a Red Team’s goal? (Remember that vulnerability identification is typically not a Red Team engagement goal.) Remember This Just because a target is vulnerable, doesn't mean it must be exploited! NMAP and network scanning Nmap [14] is a core tool for penetration testers and security analysts. It was written and is maintained by Fyodor [15] . Nmap is often used as a port scanner to determine the status of TCP and UDP ports on a target system. The tool is not just a simple port scanner but a highly capable network enumeration tool allowing fora large variety of enumeration techniques. It can be extended through the use of NSE (Nmap Scripting Engine) scripts. According to the Nmap documentation, the Nmap Scripting Engine (NSE) is one of Nmap's most powerful features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. NSE scripts are extremely useful. They can be used to enumerate a system for information or to identify vulnerabilities. In short, Nmap can be used for simple enumeration or in-depth vulnerability scanning. Its flexibility and power allow fora great deal of flexibility and capability to enumerate a target however, this power can be a double-edged sword. Nmap is not necessarily designed to be stealthy but to be very capable. A Red Team operator must understand what indicators are being generated when using Nmap's various capabilities. This text will not go into great depth on the Nmap tool but will cover some basic usage to highlight an everyday use case fora Red Team. These concepts apply to several tools. Nmap is discussed because of its popularity and use security testing in general. Let’s look at an Nmap command with several options Nmap -sT -Tn -Pn -oA -sT ● This forces Nmap to perform a full connect scan. Nmap’s default is –sS, or a stealth scan. A full scan completes the full TCP handshake (SYN,SYN/ACK,ACK) and sends a (RST) to gracefully tear down the connection. A –sS scan sends only SYN and waits fora response or timeout. A full connection is not established. Although the term stealth is used, this behavior can indicate a scan is being run against a target. In general, full connect scans produce less triggers through network security devices. This is especially true when they are executed very slowly. -T2 ● This is an Nmap timing template. They range from 0–5. The template names are paranoid, sneaky (1), polite (2), normal (3), aggressive (4), and insane (According to the Nmap documents, While -T and -T maybe useful for avoiding IDS alerts, they will take an extraordinarily longtime to scan thousands of machines or ports. For such along scan, you may prefer to set the exact timing values you need rather than rely on the canned -T and -T values.” The bottomline: control the speed of a scan to balance the gathering of information with sending packets too quickly. ● Nmap has many other timing control options. Refer to the help document for details. -Pn ● Treat all hosts as online—skip host discovery. ● This disables the default tests Nmap uses to discover if a host is online. ● If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted, because it is not part of ICMPv6.) These defaults are equivalent to the -PEPS -PA -PP options. ● For machines on a local Ethernet network, ARP scanning will still be performed (unless -- disable-arp-ping or --send-ip is specified, because Nmap needs MAC addresses to further scan target hosts. In previous versions of Nmap, -Pn was -P and -PN. -n ● Never do DNS resolution. ● This is recommended as a default. If the DNS servers are public, this is not as much of an issue. If you are using a target’s DNS servers, sending DNS queries to perform a port scan maybe considered unnecessary. -oA ● Output in three formats (normal, greppable, and xml). ● Data collection is extremely important during a Red Team engagement. Using Nmap’s builtin feature allows results to be captured and potentially parsed by other tools. -p ● The ports to scan. ● Setting the specific ports is a best practice. Using Nmap’s default maybe helpful in finding unknown services, but a target intellectual guess can help find specific services. ● If you are looking for web servers, choose ports that would most likely be associated with your target. OSINT and recon prior to a scan will help determine the appropriate ports to enumerate. Please note that even with these suggestions, there are situations when stealth or risk tolerance less important. Perhaps you are using Nmap to trigger a Blue response. Aloud scan maybe needed to gain information for access to a target. In any case, a Red Team must control their IOCs and manage their risk of exposure to meet the goals of an engagement. Understanding and controlling Red Team tools is the key takeaway for this section. This example is only a small look at Nmap. Nmap offers numerous methods of controlling its traffic. Refer to the documentation at https://nmap.org/docs.html for details. Download 4.62 Mb. Share with your friends:
|