Secure Digital Life #59
Recorded on April 10, 2018 at G-Unit Studios in Rhode Island!
Topic: Intro to Vulnerability Scanning
HACKNYC The two-day Ethical Hacking Workshop runs $1499 and you're welcome to have your viewers use this code: TZ10 for a 10% discount.
Here's a link for further info:
RSA -- I will be speaking at RSA 2018 in San Francisco on the 18th of April so be sure and come by. I will be there shooting SDL on Tuesday at the NetSparker booth so if you want to see the show live, now's your chance. I am speaking at 8 am on the 18th but the show will be there on the 17th at the Marriott Marquis.
The very basics of VS
- VS is all about collection of data but just up front
there is no such thing as an automated scan that is comprehensive. Beware of automated tests that seem too easy.
- Origin of scanning: The original scanner was called SATAN
System Administrators Tool Analyzing Networks or something like that
- The SATAN engine was essentially a port scanner.
- A Wintel based NIC has 65536 potential ports which can be open
Listening Daemons (spell it) are simply code which opens a port and subsequently listens on that port for inbound queries.
- For instance, SSHD is a daemon which listens for TCP/SYN packets
on port 22. If a tcp syn packet arrives, it negotiates the the three way tcp handshake and creates a socket.
- That socket then consists of the two ports (22 and some other port on the remote)
which are used to exchange information.
- So, initially, you could write a program which sent syn packets to all 65,536 ports
at some ip address and tries to connect on each one. If the connection is achieved, then you have learned something about the system. This is called port scanning and is the basis for VS.
- You can also then use IP addresses since they range from 0.0.0.0 to 255.255.255.255 and
you can use another set of loops to try and scan for all those (the entire internet).
- SATAN became NMAP (insecure.org) which provides a multi purpose scanning tool which can
be used to examine networks, segments, or ips, for everything from ICMP response to UDP to TCP. This can also include stealth type scans (syn with no ack), etc.
- When we do this type of scanning, we are essentially collecting intel about the device
being scanned with the idea that we will learn something about what daemons are listening.
- httpd, that's port 80/tcp, bind tcp or udp/53 and on and on. This can include very
interesting ports like 3389 (that is where remote desktop listens for connects).