Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
Thursday, October 6, 2022
Basics
Friday, August 12, 2022
Threat Hunting
(Photo: SANS FOR572 Courseware. Phil Hagen, author)
Wednesday, April 20, 2022
Nmap Basics Part 3
One of the most powerful aspects of nmap are the scripts written to extend it's functionality. These scripts have an .nse extension, meaning they are part of the Nmap Scripting Engine. The default location for nmap scripts is at /usr/share/nmap/scripts.
Using them you can do a rather thorough vulnerability assessment with nothing more than nmap. The scripts are prepended with a classification, shuch as http- or dns- or smb-, which makes it easy to search for, or use bash's auto-complete. But, you can use an entire category of scripts with a wildcard. To use one script, use --script=<script_name>. If the script takes any arguments, use --script-args=<argument1,argument2>. To use an entire class of scripts, wildcard the parameter such as --script=http*. Youy can update the scripts anytime with the command nmap --script-update.
Tuesday, March 1, 2022
Wireshark as a Teaching Tool
Wireshark is a nice tool for keeping your packet dissecting knowledge fresh and finding things you didn't know were there...you can play with the colorization settings and click through the fields in the packet dump and see which fields in the header and payloads they correspond to. Below I have the start of the IP header selected, which shows us the first nibble is the IP version field, and the other half of the first byte is the header length. We see the IP version is 4. Whatever is in the second nibble, the IP Header Length, multiply it by four to get the bytes in the header. So the value five means the header is twenty bytes, the minimum length of an IP header, which also means there are no IP options. IP options are (relatively) rare and almost always suspicious if not malicious, whereas TCP options are common, with things like padding, selective acknowledgment, etc being represented.
Note: In my haste, I switched the value and multiplier in the second nibble when I originally posted this. Sorry..
Sunday, February 27, 2022
Nmap Basics Part 2
Nmap Basics Part 2
Targets
Nmap can take a variety of different target ranges. CIDR notation is still supported as in 12.30.2.0/24.
You can also specify a custom range, like 12.302.1-64.
You can mix and match specifications, so 12.30.2.0/24 12.30.3.1-128 would be valid as well.
You can also feed a file to nmap with a mix of IPs, ranges, and hostnames.
Entries must be separated by spaces, tabs or newlines. I suggest the common one entry per line format for easy readability, for anyone looking at the scan and needing to see what the scope was.
nmap has 6 built-in levels of scanning intensity, from Paranoid, -T0, to Insane, -T5. The default is -T3. Using -T4 should be acceptable if you have a good network connection between you and the target.
-T0 and -T1 are very stealthy and therefore very, very slow. Seeing most organizations don't have the bandwidth to even investigate port scanning, this level of IDS evasion probably isn't worth using. Running your scan through Tor is also usually effective unless the target has geo-blocking in place for whatever exit node you come from. -T5 is almost certain to get you noticed and unless your connection is very solid, runs the risk of dropped packets.