Understanding Nmap Packet Trace

Hello friends!! Today we are going to discussed how to capture network packet using nmap. And used wireshark for comparing its result from nmap. In this article we mainly focused on what types of network traffic is captured by nmap while we use various nmap ping scan.

Ping scan in nmap is done to check if the target host is alive or not. As we know that ping by default sends the ICMP echo request and gets an ICMP echo reply if the system is alive. Ping scan by default send an ARP packet and gets a response to check if the host is up.

NOTE: Nmap scans changes their behavior according to the network they are scanning.

  • Scanning Local Network with Nmap where nmap sends an ARP packet with every scan.
  • If an external network is to be scanned; nmap sends the following request packets:

ICMP echo request

ICMP timestamp request

TCP SYN to port 443

TCP ACK to port 80

Technique Involves in packet-tracing via nmap

The nmap module is an interface with nmap’s internal functions and data structures. The API offers target host information such as port states and version detection results. It also provides an interface to the Nsock library for effective network I/O.

Nsock is a parallel sockets library used by NSE, service detection (service_scan.cc) and DNS (nmap_dns.cc). It acts as an abstraction layer above socket operations and is optimized for handling multiple sockets. mspool is defined at nsock_internal.h and contains among other things a struct event_lists which is a structure that keeps information on all pending events.

Event creation

Events are represented with the msevent struct (nsock_internal.h) which contains (among other things)

  • The callback handler -> nsock_ev_handler (nsock_pool, nsock_event, void *)
  • A pointer to a msiod struct -> msiod *iod, which holds all the I/O descriptor (IOD) related information.
  • Struct filespace iobuf (a buffer usually 1024 bytes which holds the write/read bytes)
  • The nse_type (nsock.h)
  • The nse_status (nsock.h)
  • A unique id -> nsock_event_id (EID)

Events are created with the the following special functions:

nsock_connect.c

  • nsock_connect_tcp
  • nsock_connect_udp
  • nsock_connect_ssl
  • nsock_reconnect_ssl

nsock_read.c

  • nsock_readlines
  • nsock_readbytes
  • nsock_read

nsock_write.c

  • nsock_write
  • nsock_printf

nsock_timer_create.c

  • nsock_timer_create

source: https://sock-raw.org/nmap-ncrack/nsock.html

Let’s Start!!

Nmap Sweep Ping Analysis

Attribute -sn/ -sP are used for sweep ping and they try to identify the live host in the network. Using –packet-trace along nmap scan we can observe the network packet.

Here you can observe first two packets SENT/RECD (received) showing ARP request packet from 192.168.1.105 to 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between the source and destination router.

  • NSOCK INFO that denotes a new nsock_event_id (EID) 8 is generated to represents I/O descriptor (IOD) #1 for NSOCK UDP connection request to the router on port 53.
  • NSOCK INFO that denotes another (EID) 18 is generated to represents read request from (IOD) #1.
  • NSOCK INFO that denotes another (EID) 27 is generated to represents write request for 44 bytes to (IOD) #1.
  • NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to connect for EID 8.
  • NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to write for EID 27.
  • NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to read for EID 18.
  • NSOCK info that IOD #1 is deleted.
  • NSOCK info that nevent_delete is deleting on event 34.
  • At last Nmap scan report Host is up.

You can observe the the same traffic we have captured from wireshark

  • Arp request packet for 192.168.1.105 to 192.168.1.103
  • Arp reply packet from 192.168.1.103 to 192.168.1.105

Similar you can also choose –reason option with nmap command to enumerate response from host network.

As you can observe it has clearly shown Host is up, when received arp-response.

As we have seen, by default Nmap sent ARP packet to identify host status therefore now we will trace nmap packet when –disable-arp-ping is activated.

Here you can notice the following SENT packets from source 192.168.1.105 to destination 192.168.1.103.

  • ICMP echo request
  • ICMP timestamp request
  • TCP SYN to port 443
  • TCP ACK to port 80

Then RCVD packet ICMP Echo-reply from destination 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between source to the destination router.

Demonstrating working of Ping Sweep using wireshark

From given below image you can observe the following packet of request and reply between both network IP.

  1. ICMP echo request
  2. TCP SYN to port 443
  3. TCP ACK to port 80
  4. ICMP timestamp request
  5. ICMP echo reply
  6. TCP RST, ACK to port 443
  7. TCP RST to port 80
  8. ICMP timestamp Reply

Similar you can also choose –reason option with nmap command to enumerate response from host network.

As you can observe it has clearly shown Host is up, when received ICMP echo-response.

Nmap TCP-SYN Ping Analysis

Attribute -PS sends TCP SYN packet on port 80 by default; we can change it by specifying the ports with it, like: -P22.

Here you can observe this scan is addition of nmap ping scan and nmap stealth scan because in the beginning it sends arp packet then uses nsock libraries and at the end again implicates TCP half communication.

So you can observe the following information we fetched from nmap:

  • SENT/RECD ARP request and reply respectively.
  • Nsock libraries details
  • TCP-SYN packet from 192.168.1.105:36088 to 192.168.1.103:22.
  • TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:36088.

Similarly we saw the same pattern of network traffic in wireshark.

Similar you can also choose –reason option with nmap command to enumerate response from host network.

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Now let figure out network traffic when –disable-arp-ping activated.

So you can observe the following information we fetched from nmap:

  • SENT TCP-SYN packet on port 80
  • RCVD TCP-RST/ACK from port 80.
  • Nsock libraries details
  • TCP-SYN packet from 192.168.1.105:63581 to 192.168.1.103:22.
  • TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:63851.

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap ICMP Ping Analysis

Attribute –PE sends ICMP echo request packet [ICMP type 8] and received ICMP echo reply packet

Here you can notice ICMP Echo-request packets SENT from source 192.168.1.105 to destination 192.168.1.103

Then RCVD packet ICMP Echo-reply from destination 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between source to destination router.

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap Stealth Scan Analysis

Let’s capture the network packet for default nmap scan also called stealth scan which follow TCP half communication

Here you can observe TCP-half communication:

  • TCP-SYN packet sent from source 192.168.1.105 to 192.168.1.103 on port 22.
  • TCP-SYN, ACK packet received from source 192.168.1.103 to 192.168.1.105.
  • TCP-RST packet sent from source 192.168.1.105 to 192.168.1.103.

Now let’s verify it with parameter –packet-trace and compare the result.

So you can observe the following information we fetched from nmap which is similar as TCP-SYN Ping.

  • SENT/RECD ARP request and reply respectively.
  • Nsock libraries details
  • TCP-SYN packet from 192.168.1.105:48236 to 192.168.1.103:22.
  • TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:48236.

Similar you can also choose –reason option with nmap command to enumerate response from host network.

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Now let figure out network traffic when –disable-arp-ping activated.

Here you can notice the following SENT packets from source 192.168.1.105 to destination 192.168.1.103.

  • SENT ICMP echo request
  • SENT TCP SYN to port 443
  • SENT TCP ACK to port 80
  • SENT ICMP timestamp request
  • Then RCVD packet ICMP Echo-reply from destination 192.168.1.103
  • Then used NSOCK libraries to state actual request and response packets travel between sources to destination router.
  • SENT TCP-SYN request on port 22
  • RECV TCP-SYN, ACK reply from port 22.

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap TCP Scan Analysis

As we knew TCP scan is follow full tcp communication and it is known as three-way-handshake.

So you can observe the following information we fetched from nmap which is similar as TCP-SYN Ping.

SENT/RECD ARP request and reply respectively.

Nsock libraries details

Connecting TCP Localhost from destination host 192.168.1.103:22 is in progress.

Connected TCP Localhost from destination host 192.168.1.103:22 successfully.

Similarly we saw the same pattern of network traffic in wireshark also.

Similar you can also choose –reason option with nmap command to enumerate response from host network.

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

3 Ways Extract Password Hashes from NTDS.dit

Hello friends!! Today we are going to discuss some forensic tool which is quite helpful in penetration testing to obtain NTLM password hashes from inside the host machine. As we know while penetration testing we get lots of stuff from inside the host machine and if you found some files like NTDS.dit and system hive then read this article to extract user information from those files.

Impacket-secretsdump

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. The library provides a set of tools as examples of what can be done within the context of this library.

secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach.

Source: https://www.coresecurity.com/corelabs-research/open-source-tools/impacket

As described in its official definition we mainly need two files i.e. ntds.dit & System-hive for extracting NTLM password from inside it. Suppose while making penetration testing on host machine you found these file mention above then with help of following command you can extract hash password for admin account or for other accounts from inside it.

impacket-secretsdump -system /root/Desktop/NTDS/SYSTEM -ntds /root/Desktop/NTDS/ntds.dit LOCAL

-system: denotes path for system hive files (SYSTEM)

-ntds: denotes path for dit file (ntds.dit)

Now as you can observe it has dumped the NTLM password from inside ntd.dit file……………

With help of the online decrypting tool, we try to crack the password hash and as shown in the given image we got “[email protected]” from its result.

DSInternals PowerShell

 The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of the Framework. The main features include offline ntds.dit file manipulation and querying domain controllers through the Directory Replication Service (DRS) Remote Protocol.

Source: https://github.com/MichaelGrafnetter/DSInternals

This method is only applicable for Windows users and to extract NTLM hashes you can take help of following commands as described below.

 

From its result, you can observe that we have successfully extracted the NTLM hash and now you can decrypt it again as done above.

Ntdsxtract

The first step is to extract the tables from the NTDS.dit file, we will use esedbexport by downloading libesedb-tools. Libesedb is a library to access the Extensible Storage Engine (ESE) Database File (EDB) format mainly known for its use in Microsoft Extension for prev1.edb file. The ESE database format is used in many different applications like Windows Search, Windows Mail, Exchange, Active Directory (NTDS.dit) and etc.

Source: https://github.com/libyal/libesedb/

For Latest Download link: https://github.com/libyal/libesedb/releases

Now type the following command to download libesedb library for installing esedbexport then extract the tar file as given below.

 

Now install the requirements with help of following commands:

Now the tool is installed, use it to dump the tables from the ntds.dit file.

This will make a new directory, named as “ntds.dit.export” with the extracted tables and here you will get two main tables i.e. datatable and link_table.

Now download ntdsxtract which is a forensic tool that is capable of extracting information related to user objects, group objects, computer objects, and deleted objects from NTDS.dit files.

Execute the following command to install all set-up files.

Extracting User Infomation and Password Hash

Now with help of all three files (Datatable, link_table, and system hive) it will be capable to dump user information and NT/LM password hashes. And you can execute the following command for obtaining NTLM password in the format of John the ripper.

As you can see it has extract user information and password hash as said above.

cat data/nthash.txt

So now you can crack this password hash with help of John the ripper.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

Exploiting Wildcard for Privilege Escalation

Hello friends!! In this article, we will cover “Wildcard Injection” an interesting old-school UNIX hacking technique, which is still a successful approach for Post exploitation and even many security-related folks haven’t heard of it. Here you will get surprised after perceiving some UNIX tools like ‘tar’ or ‘chown’ can lead to full system compromise.

Table of content

  • Introduction
  • Wildcard
  • Wildcard wildness example 1
  • File hijacking example 2
  • Post Exploitation via tar (Phase I)
  • Tar Wildcard Injection (1st method)
  • Post Exploitation via tar (Phase II)
  • Tar Wildcard Injection (1st method)
  • Tar Wildcard Injection (2nd method)
  • Tar Wildcard Injection (3rd method)

Let’s Start!!!

Wildcard

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken.

Some Wildcards character:

*     An asterisk matches any number of character in a filename, including none.

 ?     The question mark matches any single character.

[ ]   Brackets enclose a set of characters, any one of which may match a single character at that position.

 –     A hyphen used within [ ] denotes a range of characters.

~     A tilde at the beginning of a word expands to the name of your home directory. Append another user’s login name to the character, it refers to that user’s home directory.

1st Example

You might be aware of wildcard symbol and their traditional usage but here we are presenting wildcard wildness and for this, I would like to draw your attention towards below steps.

So as you can observe, here we have made a new directory “wild” on the desktop then with help of echo command we have created 3 files and written 1 line in each file.

Afterwards, with help of cat command, we try to open all above 3 files as shown:

However, the first two files opened normally and show the same information as written above. But the cat command failed to read information written inside –help file. Instead of showing “take help” while opening –help file it calls its own –help options from its own libraries & such type of trick is called Wildcard wildness.

File owner hijacking via Chown

Similarly again we try to do something roguish with help of chown command. As we know it is an abbreviation of change owner, which is used on Unix-like systems to modify the ownership of file system files, directories and it may only be changed by a super-user. Let say we have three users in our system.

Super-user (root) – perform admin-level task such as run chown command.

Non-root-user1 (raj) – perform ordinary jobs such as create file

Non-root-user2 (aarti) – perform ordinary jobs such as create file

Mischief-user (Ignite) – perform the notorious task such as Chown file reference trick that can lead file owner hijacking.

In the following image, you can observe all the PHP file is owned by user: raj. Now when the user: ignite found all PHP file is own be user raj then he induce two PHP file himself in the same directory and use file reference trick for file owner hijacking by executing below commands.

As you can notice, mostly file is owned user: raj and the last two files are owned by user: ignite and when the super-user will be supposed to change ownership of all file having PHP extension with help of wildcard, then all files will indirectly come under the ownership of user: ignite.

As you can observe when root user run chown command to give ownership of all PHP file to the user: aarti, an error occurred and as result, the all PHP file get seized by user: ignite automatically.

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

–reference=RFILE (use RFILE’s owner and group rather than specifying OWNER:GROUP values)

In our case user: ignite executed following commands:

Then root user takes help of wildcard character for changing ownership. Thing is that wildcard character used in ‘chown’ command line took subjective ‘–reference=.my.php’ file and passed it to the chown command at the command line as an option.

Post Exploitation via tar (Phase I)

Lab-Setup

Likewise again we extend the wildness of wildcard character to the ultimate level and it was like a dynamic explosion in terms of system hacking.

Tar is very common UNIX program for creating and extracting archives. And with help of it, we are going to take compress backup of any directory. For example, make a new directory and give ALL permission to it and then create some files.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html from inside /var/backups in every 1 minute.

Let’s verify the schedule is working or not by executing following command.

Tar Wildcard Injection (1st method)

Privilege Escalation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

On a new terminal generate netcat reverse shell malicious code for achieving netcat reverse connection by using msfvenom and enter the following command for that.

Copy the generated payload and paste inside victim’s shell as described below.

nc -lvp 8888

Now paste above copied payload as describe below and ran the following commands inside victim’s tty shell.

The above commands help the tar command to run the file shell.sh, after the first file is archived. Since the tar command is running as root due to crontab, this has the effect of spawning a netcat shell and sending it to the attack platform on port 8888. And if you go back to the terminal window where the listener was on, you will have victim’s reverse connection in after 1 minute.

id

whoami

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

–checkpoint[=NUMBER] show progress messages every Numbers record (default 10)

 –checkpoint-action=ACTION execute ACTION on each checkpoint

There is ‘–checkpoint-action’ option, that will specify the program which will be executed when the checkpoint is reached. Mainly, this permits us to run an arbitrary command. Hence Options ‘–checkpoint=1’ and ‘–checkpoint-action=exec=sh shell.sh’ are handed to the ‘tar’ program as command line options.

Post Exploitation via tar (Phase II)

Lab Setup

There are multiple ways to take compressed backup and multi techniques can also be applied for privilege escalation. In this phase, with help of tar, we are going to take compress backup of a directory. For example, make a new directory whose backup you wish to take and give ALL permission to it and then create some files.

Now in other directory write a bash script for taking backup of /tmp/data with help of tar archive program.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

And after 1 minute you will notice backup.tgz file is generated inside info directory.

Tar Wildcard Injection

Privilege Escalation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a bash program script for every 1 minute and we know that cron job runs as root. The minute attacker read the program written inside the script.sh, he can apply tar wildcard injection.

Again generate netcat reverse shell payload as done above.

And again repeat above step as shown in the image.

Then get back to netcat shell for victim’s reverse connection and you will notice after 1 minute you get victim’s netcat session.

Hence, the target can be easily exploited if he makes usage tar archive program either by scheduling job via command or through bash script.

Tar Wildcard Injection (2nd method)

Privilege Escalation

Basically, with help wildcard injection an attack want to gain the highest privilege of the system, therefore, he will try to inject some malicious code with help of tar for root access. But there are multiple ways to obtain root access and hence you can apply following techniques for privilege escalation.

Suppose you have victim’s machine as a non-root user and for privilege escalation either take root access or try to give sudo right to non-root user by adding him sudoers file. Thus you can take help of following commands.

With the help of above command we had tried to give root permission to the user: ignite and for 1 minute. After 1 minute passed we successfully owned root account.

Tar Wildcard Injection (3rd method)

Privilege Escalation

There are multiple ways for privilege escalation with help of tar injection but we are discussing very few methods among them. Suppose you have victim’s machine as the non-root user and for privilege escalation, you can try to enable SUID bit for any system binaries and likewise above again you can take help of the following command for obtaining root access.

WOOhOOO!! Hope you people will enjoy this trick while penetration testing.

Source: https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Linux Privilege Escalation by Exploiting Cronjobs

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “Privilege Escalation by exploiting Cron Jobs” to gain root access of a remote host machine and also examine how a bad implement cron job can lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.

For details, you can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link1: Hack the Box Challenge: Europa Walkthrough

Link2: Hack the Milnet VM (CTF Challenge)

Table of content

  • Introduction
  • Cron job
  • Crontab syntax
  • Crontab File overwrite
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)
  • Crontab Tar wildcard Injection
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)

Let’s Start!!!

What is cron job?

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

 

For example:  Inside crontab we can add following entry to print apache error logs automatically in every 1 hour.

Crontab File overwrite

Lab Setup for Poorly configured cron job

 Objective: Set a new job with help of crontab to run a python script which will erase all data from in a particular directory.

Let assume “cleanup” is the directory whose data will be cleared automatically in every two minutes. Thus we have saved some data inside /home/cleanup.

As you can observe from given image some files are stored inside cleanup directory.

Now write a python program in any other directory to delete data from inside /home/cleanup and give it all permission.

chmod 777 cleanup.py

At last schedule a task with help of crontab to run cleanup.py for every 2 minutes.

Now let’s verify the objectives

Coool!! It is working, as you can see all file has been deleted after two minutes.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Execute the following command as shown below.

 From above steps, we notice the crontab is running python script in every two minutes now let’s exploit.

There so many methods to gain root access as in this method we enabled SUID bits /bin/dash. It is quite simple, first, open the file through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from the following line as given below

After two minutes it will set SUID permission for /bin/dash and when you will run it will give root access.

Awesome!! We hit the Goal…………………

Crontab Tar Wildcard Injection

Lab Setup

Objective: schedule a task with help of crontab to take backup with tar archival program of HTML directory.

The directory should have executable permission whose backup you are going to take.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

Let’s verify the schedule is working or not by executing following command.

From given below image you can notice the html.tgz file has been generated after 1 minute.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

Execute following command to grant sudo right to logged user and following post exploitation is known as wildcard injection.

Now after 1 minute it will grant sudo right to the user: ignite as you can confirm this with the given below image.

YUPPIEEEE!!! We have successfully obtained root access.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...