S-T-D

std-logo

STD 0.1
security tools distribution
MD5: de03204ea5777d0e5fd6eb97b43034cb

Home
-
Download
-
Forum
-
FAQ
-
MD5
-
STD Tools
-
CDs, tshirts, etc
-
Docs
-
Donate
-
Change Log
-
Screenshots
-
Graphics
-
Links

Remote Service Identification

Remote service identification is locating what's running on what ports. Typically, this can be used in determining whether a machine is compromised (hey, I didn't run VNC on port 5955!), whether your own machines are vulnerable to attack (whoops, that's an old openssh...), or for preparing and planning an (of course) authorized pen-test.

Getting the Goods

If you're using the Knoppix-STD cd, skip this step! Recent copies of amap and nmap should already be included. Otherwise,

Visit http://www.insecure.org/nmap/nmap_download.html and download the appropriate file for your distribution.

Amap can be found at: http://www.thc.org/releases.php

Newest of each as of this writing [ed: 8.8.03] is nmap 3.30, and amap 4.0.

Let's begin

First of all, amap can act as a standalone port scanner as well as a banner identifier, but nmap is the swiss-army knife of network scanning, so you'll definitely want to be familiar with it, as it offers many options not available in amap.

The basic ideas is this; we're going to nmap a host or network segment and save the results in a file format that amap can read. Then we'll feed the results to amap, and voila, an easy to read list of what's running where.

Nmapping

Nmap has more features than I could write about if I spent all week writing up this document, so take my word and read the documentation. Belive me, it's worth it. Here are my favorite settings for scanning my local network (when scanning over the internet, I might crank down the speed, ala the -T option):

nmap -T4 -p- 192.168.0.0/16 -m 192.168.txt

-T4 tells nmap to scan pretty quickly, but not so aggressively that you're likely to lose packets. On a very fast network, T5 is probably reasonable as well, but T4 is fast enough for me.

NOTE: (See, it's important, I used BOLD) Nmap does ~not~ port scan all ports by default. It checks all low ports (1-1024) and well as commonly known ports, but since we're looking for services and backdoors running on different ports, that doesn't do us any good. -p- is a shortcut to tell nmap to scan ALL ports.

192.168.0.0/16 is the address range to scan. In this case, the /16 means a netmask of 16 bits, sometimes referred to as a class B (though really class addressing is actually a very different thing. This will scan all 65k hosts between 192.168.0.0 and 192.168.255.255.

The last option tells nmap to output machine readable results to the file 192.168.txt. This is what we're going to feed nmaping.

Amapping

Once nmap finishes, we can use amap to identify what's running on the ports we found. Here's my favorite settings:

amap -1 -b -t 2 -T 2 -i 192.168.txt

-1 Tells amap to stop after it's identified the first service running on a port. This definitely speeds up the checks, and is very useful when scanning lots of hosts or hosts with a large number of ports open, however, you may lose some interesting information with this option turned on. For example, when scanning a host running openssh with -1 turned on, you will see:

Protocol on 192.168.212.23:22/tcp matches ssh - banner: SSH-1.99-OpenSSH_3.6.1p2\n

If -1 was turned off, the results would have been:

Protocol on 128.227.212.23:22/tcp matches ssh - banner: SSH-1.99-OpenSSH_3.6.1p2\n
Protocol on 128.227.212.23:22/tcp matches ssh-openssh - banner: SSH-1.99-OpenSSH_3.6.1p2\n

Notice, however, that in this case we can figure it out easily ourselves since the text banner is shown to the right. Which brings me to the next option,

-b turns on banner display. It'll make the output from amap a lot noiser and maybe a little harder to read, but is very useful as demonstrated above.-t and -T are timeout options which default to 5 seconds. Again, for a local network, values of 1 or 2 are much more realistic, and I've found them to significantly speed up scan times.

-i of course tells amap where the output from nmap is to be found.

Wrapping up

Too much typing for you? Here's a lazy man's script to use:

#!/bin/sh
##
## Usage: ./banner-probe ip1,ip2,network/24 -other -nmap -options
##
## Specifically, this script requires at least one parameter to be
## passed to it, the network or ip to scan.
##

Usage () {
        grep '^##' $0|sed 's/##//g'
}
 
if [ $# -lt 1 ]
then
        Usage
        exit 1
fi

if ! which nmap >/dev/null 2>/dev/null
then
        echo "I'm sorry, couldn't find nmap"
        exit 1
fi

if ! which amap >/dev/null 2>/dev/null
then
        echo "I'm sorry, couldn't find amap"
        exit 1
fi

echo "Nmapping $@"
if nmap -T4 -p- -m /tmp/banner-probe.$$ $@ 2>/tmp/banner-probe.$$.nmaperr >/dev/null
then
        echo "Nmap complete"
else
        echo "Nmap failed, bailing"
        echo "Error was:"
        cat /tmp/banner-probe.$$.nmaperr
        rm -f /tmp/banner-probe.$$.*
        exit 1
fi

echo "Amapping $@"
amap -1 -b -t 2 -T 2 -i /tmp/banner-probe.$$

echo "Cleaning up"
rm -f /tmp/banner-probe.$$.*

Comments? Suggestions? jordanatpsifertexdotcom