Implementing Service scanning in OWASP-Nettacker

[pradeepjairamani]

OWASP-Nettacker currently lacks the power of scanning a network for running services before doing vulnerability assessment and sending payloads; hence every attack can end up useless if the service is running at a different port. Let’s take an example, when doing network scanning if a Secure Socket Layer is running on a port or if the port is using an SSL tunnel in order to protect its users from MITM attack then we first scan that service for SSL vulnerabilities like CCS injection, Heartbleed, Logjam, Poodle, and many others in order to keep the tunnel secure and the user’s data protected, this will boost the discovery rate of vulnerabilities.

For services like SSH, SMTP, FTP and other common services we will be using normal banner grabbing techniques where Python sockets will be used. A typical FTP banner gives us information about the product and version being used on FTP service that is Bftpd 1.6.6 which could enumerate multiple vulnerabilities without sending any payloads to the server.

[+] 192.168.2.1:220 bftpd 1.6.6 at 192.168.2.1 ready.

For services like HTTP/HTTPS, we will be using Python-Requests module which will be helpful for detecting the server running by header information, a typical header looks like this which gives us information about the running services & version on the port which is Nginx/1.10.3 and the OS details which is Linux Ubuntu.

({'date': 'Thu, 08 Mar 2018 14:23:48 GMT', 'connection': 'keep-alive', 'content-encoding': 'gzip', 'x-powered-by': 'Express', 'content-type': 'text/html; charset=utf-8', 'vary': 'Accept-Encoding', 'cache-control': 'public, max-age=0', 'etag': 'W/"3b51-DSUPhtrEeYNRRot/gk1jUt+PAnc"', 'server': 'nginx/1.10.3 (Ubuntu)', 'transfer-encoding': 'chunked'})

Many DNS servers are pre-configured with version information in DNS TXT records for the version bind label in the CHAOS class.

dig @dns.name.server version.bind chaos txt

Typical answers might include

;; ANSWER SECTION: version.bind. 0 CH TXT "9.8.1-P1" OR ;; ANSWER SECTION: version.bind. 1476526080 IN TXT "Microsoft DNS 6.1.7600 (1DB04228)" OR ;; ANSWER SECTION: version.bind. 0 CH TXT "dnsmasq-2.47"

Same can be implemented using nslookup ​for Windows ​system.

All the previous modules will be shifted to Service based detection instead of port-based detection after this implementation for better results.

[VictorSuraj]

@pradeepjairamani Currently I am working on this. And my whole idea to get service information. If port is open then it may give easily banner grabbing. But when any port is filtered then we bypass it by fragmentation of IP-address.

[pradeepjairamani]

@VictorSuraj I don't understand the part fragmentation of Ip-address. I will be using normal socket connect for open port detection, please explain your idea.

Best Regards

[VictorSuraj]

fragmentation means as a spoofed ip-address for the server where we want to send our packets. socket well work in banner grabbing but sometimes it is failed. because of, if server self response about there service then we grab banner through socket. But If server is not configured to give any response then socket failed there.

[Ali-Razmjoo]

Hey @VictorSuraj,

Is this need to create a raw socket? can you share a few references for your idea, it seems cool!

Regards.

[VictorSuraj]

fragmentation means not a spoofed ip-address but firewall of server cant detect our IP-address. because our IP-address information goes in server as in fragments(8-bit or 16-bit at a time of total 32-bit.)

[abiusx]

@VictorSuraj Can you please point to a scenario in which a socket attempt is not useful by fragmentation is? Please describe a service that we can setup and test, so that we can work on the solution.

[VictorSuraj]

my code is not currently ready. But I have a simple example. Some times while scanning about in services by nmap a output comes out as " server block our ping probes". So here we use a switch -Pn . I see some working of switch -Pn used by nmap. And I found that it sends our IP-address in fragments.

[VictorSuraj]

switch "-Pn" used in nmap for bypass firewall so my idea to grab enough information about any port's services. I am using scapy for this task. Scapy covered many points at a time so that our code work much faster and determine more information.

[abiusx]

Yes, but ping uses ICMP protocol which is a lower level protocol compared to TCP, so it can not be done with sockets. However, all TCP services work with a socket.

[Ali-Razmjoo]

I am not sure about nmap structure, but in the help menu says -Pn: Treat all hosts as online -- skip host discovery, I though nmap use SYN/ACK to bypass some firewalls and grab information (such as OS and OS Version)

[pradeepjairamani]

@VictorSuraj switch -Pn is not a firewall evasion technique, It just doesn't checks if the server is offline or online and scans all the open ports.

[VictorSuraj]

@abiusx While connecting to a filtered port. socket can not work here. A timeout definitely comes out. So for this purpose we need fragmentation and I think nettacker used scapy. And we can do a lot with this. please If you give me some more about socket in fragmentation then send me. I read it and response soon.

[pradeepjairamani]

@VictorSuraj I haven't worked much with scapy, but can you demonstrate a code where we can see different closed ports and filtered ports?

Best Regards

[Ali-Razmjoo]

correct, we used scapy, but I will glad if we can find or create a replacement, we already have some license issues, if we can remove requirements it would us so much, so any contribution in this area are so welcomed.

[Ali-Razmjoo]

@pradeepjairamani thanks for mentioning this, I also looking forward to see a sample code to improve our libraries.

in any case if you need a test server to scan, we have a closed port 3389 on our server nettacker.z3r0d4y.com that you have permission to do all your tests. also, you are permitted to do test for the filtered ports on zdresearch.com.

# nettacker.z3r0d4y.com
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
25/tcp   open   smtp
80/tcp   open   http
443/tcp  open   https
587/tcp  open   submission
3389/tcp closed ms-wbt-server
5000/tcp open   upnp
8000/tcp open   http-alt
8083/tcp open   us-srv

# zdresearch.com
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open     pop3
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered microsoft-ds
465/tcp  open     smtps
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
2222/tcp open     EtherNetIP-1
3306/tcp open     mysql

Best Regards.

[pradeepjairamani]

I am going to add these top 100 ports for service scanning, after that we can add more to the service scanner.

• http 80/tcp 0.484143 # World Wide Web HTTP
• telnet 23/tcp 0.221265
• https 443/tcp 0.208669 # secure http (SSL)
• ftp 21/tcp 0.197667 # File Transfer [Control]
• ssh 22/tcp 0.182286 # Secure Shell Login
• smtp 25/tcp 0.131314 # Simple Mail Transfer
• ms-wbt-server 3389/tcp 0.083904 # Microsoft Remote Display Protocol (aka ms-term-serv, microsoft-rdp) | MS WBT Server
• pop3 110/tcp 0.077142 # PostOffice V.3 | Post Office Protocol - Version 3
• microsoft-ds 445/tcp 0.056944 # SMB directly over IP
• netbios-ssn 139/tcp 0.050809 # NETBIOS Session Service
• imap 143/tcp 0.050420 # Interim Mail Access Protocol v2 | Internet Message Access Protocol
• domain 53/tcp 0.048463 # Domain Name Server
• msrpc 135/tcp 0.047798 # epmap | Microsoft RPC services | DCE endpoint resolution
• mysql 3306/tcp 0.045390
• http-proxy 8080/tcp 0.042052 # http-alt | Common HTTP proxy/second web server port | HTTP Alternate (see port 80)
• pptp 1723/tcp 0.032468 # Point-to-point tunnelling protocol
• rpcbind 111/tcp 0.030034 # sunrpc | portmapper, rpcbind | SUN Remote Procedure Call
• pop3s 995/tcp 0.029921 # POP3 protocol over TLS/SSL | pop3 protocol over TLS/SSL (was spop3)
• imaps 993/tcp 0.027199 # imap4 protocol over TLS/SSL
• vnc 5900/tcp 0.023560 # rfb | Virtual Network Computer display 0 | Remote Framebuffer
• NFS-or-IIS 1025/tcp 0.022406 # blackjack | IIS, NFS, or listener RFS remote_file_sharing | network blackjack
• submission 587/tcp 0.019721 # Message Submission
• sun-answerbook 8888/tcp 0.016522 # ddi-udp-1 | ddi-tcp-1 | Sun Answerbook HTTP server. Or gnump3d streaming music server | NewsEDGE server TCP (TCP 1) | NewsEDGE server UDP (UDP 1)
• smux 199/tcp 0.015945 # SNMP Unix Multiplexer
• h323q931 1720/tcp 0.014277 # h323hostcall | Interactive media | H.323 Call Control Signalling | H.323 Call Control
• smtps 465/tcp 0.013888 # igmpv3lite | urd | smtp protocol over TLS/SSL (was ssmtp) | URL Rendesvous Directory for SSM | IGMP over UDP for SSM
• afp 548/tcp 0.012395 # afpovertcp | AFP over TCP
• ident 113/tcp 0.012370 # auth | ident, tap, Authentication Service | Authentication Service
• hosts2-ns 81/tcp 0.012056 # HOSTS2 Name Server
• X11:1 6001/tcp 0.011730 # X Window server
• snet-sensor-mgmt 10000/tcp 0.011692 # ndmp | SecureNet Pro Sensor https management server or apple airport admin | Network Data Management Protocol
• shell 514/tcp 0.011078 # syslog | BSD rshd(8) | cmd like exec, but automatic authentication is performed as for login server
• sip 5060/tcp 0.010613 # Session Initiation Protocol (SIP)
• bgp 179/tcp 0.010538 # Border Gateway Protocol
• LSA-or-nterm 1026/tcp 0.010237 # cap | nterm remote_login network_terminal | Calendar Access Protocol
• cisco-sccp 2000/tcp 0.010112 # cisco SCCP (Skinny Client Control Protocol) | Cisco SCCP | Cisco SCCp
• https-alt 8443/tcp 0.009986 # pcsync-https | Common alternative https port | PCsync HTTPS
• http-alt 8000/tcp 0.009710 # irdmi | A common alternative http port | iRDMI
• filenet-tms 32768/tcp 0.009199 # Filenet TMS
• rtsp 554/tcp 0.008104 # Real Time Stream Control Protocol | Real Time Streaming Protocol (RTSP)
• rsftp 26/tcp 0.007991 # RSFTP
• ms-sql-s 1433/tcp 0.007929 # Microsoft-SQL-Server
• unknown 49152/tcp 0.007907
• dc 2001/tcp 0.007339 # wizard | or nfr20 web queries | curry
• printer 515/tcp 0.007214 # spooler (lpd) | spooler
• http 8008/tcp 0.006843 # http-alt | IBM HTTP server | HTTP Alternate
• unknown 49154/tcp 0.006767
• IIS 1027/tcp 0.006724 # 6a44 | IPv6 Behind NAT44 CPEs
• nrpe 5666/tcp 0.006614 # Nagios NRPE
• ldp 646/tcp 0.006549 # Label Distribution
• upnp 5000/tcp 0.006423 # commplex-main | Universal PnP, also Free Internet Chess Server
• pcanywheredata 5631/tcp 0.006248
• ipp 631/tcp 0.006160 # Internet Printing Protocol -- for one implementation see http://www.cups.org (Common UNIX Printing System) | IPP (Internet Printing Protocol)
• unknown 49153/tcp 0.006158
• blackice-icecap 8081/tcp 0.006147 # sunproxyadmin | ICECap user console | Sun Proxy Admin Service
• nfs 2049/tcp 0.006110 # networked file system
• kerberos-sec 88/tcp 0.006072 # kerberos | Kerberos (v5) | Kerberos
• finger 79/tcp 0.006022
• vnc-http 5800/tcp 0.005947 # Virtual Network Computer HTTP Access, display 0
• pop3pw 106/tcp 0.005934 # 3com-tsmux | Eudora compatible PW changer | 3COM-TSMUX
• ccproxy-ftp 2121/tcp 0.005834 # scientia-ssdb | CCProxy FTP Proxy | SCIENTIA-SSDB
• nfsd-status 1110/tcp 0.005809 # nfsd-keepalive | webadmstart | Cluster status info | Start web admin server | Client status info
• unknown 49155/tcp 0.005702
• X11 6000/tcp 0.005683 # X Window server
• login 513/tcp 0.005595 # who | BSD rlogind(8) | remote login a la telnet; automatic authentication performed based on priviledged port numbers and distributed data bases which identify "authentication domains" | maintains data bases showing who's logged in to machines on a local net and the load average of the machine
• ftps 990/tcp 0.005570 # ftp protocol, control, over TLS/SSL
• wsdapi 5357/tcp 0.005474 # Web Services for Devices
• svrloc 427/tcp 0.005382 # Server Location
• unknown 49156/tcp 0.005322
• klogin 543/tcp 0.005282 # Kerberos (v4/v5)
• kshell 544/tcp 0.005269 # krcmd Kerberos (v4/v5) | krcmd
• admdog 5101/tcp 0.005156 # talarian-udp | talarian-tcp | (chili!soft asp) | Talarian_TCP | Talarian_UDP
• news 144/tcp 0.004981 # uma | NewS window system | Universal Management Architecture
• echo 7/tcp 0.004855
• ldap 389/tcp 0.004717 # Lightweight Directory Access Protocol
• ajp13 8009/tcp 0.004642 # Apache JServ Protocol 1.3
• squid-http 3128/tcp 0.004516 # ndl-aas | Active API Server Port
• snpp 444/tcp 0.004466 # Simple Network Paging Protocol
• abyss 9999/tcp 0.004441 # Abyss web server remote web management interface | distinct
• airport-admin 5009/tcp 0.004416 # winfs | Apple AirPort WAP Administration | Microsoft Windows Filesystem
• realserver 7070/tcp 0.004328 # arcp | ARCP
• aol 5190/tcp 0.004190 # America-Online. Also can be used by ICQ | America-Online
• ppp 3000/tcp 0.004115 # remoteware-cl | hbci | User-level ppp daemon, or chili!soft asp | HBCI | RemoteWare Client
• postgresql 5432/tcp 0.004090 # PostgreSQL database server | PostgreSQL Database
• upnp 1900/tcp 0.003977 # ssdp | Universal PnP | SSDP
• mapper-ws_ethd 3986/tcp 0.003977 # mapper-ws-ethd | MAPPER workstation server
• daytime 13/tcp 0.003927
• ms-lsa 1029/tcp 0.003801 # solid-mux | Solid Mux Server
• discard 9/tcp 0.003764 # sink null
• ida-agent 5051/tcp 0.003649 # ita-agent | Symantec Intruder Alert | ITA Agent
• unknown 6646/tcp 0.003649
• unknown 49157/tcp 0.003573
• unknown 1028/tcp 0.003421
• rsync 873/tcp 0.003400 # Rsync server ( http://rsync.samba.org )
• wms 1755/tcp 0.003350 # Windows media service | ms-streaming
• pn-requester 2717/tcp 0.003345 # PN REQUESTER
• radmin 4899/tcp 0.003337 # radmin-port | Radmin (www.radmin.com) remote PC control software | RAdmin Port
• jetdirect 9100/tcp 0.003287 # pdl-datastream | hp-pdl-datastr | HP JetDirect card | PDL Data Streaming Port | Printer PDL Data Stream
• nntp 119/tcp 0.003262 # Network News Transfer Protocol
• time 37/tcp 0.003161 # timserver

[Ali-Razmjoo]

Hello,

We've done it in #148, so I'd mark it as done, and create a new issue to improve the signatures!

Regards.