ISSSource White Papers

Posts Tagged ‘Nmap’

Tuesday, August 20, 2013 @ 04:08 PM gHale

A new tool is capable of scanning the entire IPv4 address space in less than an hour.

There have been Internet-wide scans done by various organizations over the years, but most of them have not had a security motivation. And they can take days or weeks, depending upon how you do the scan and what the researchers were trying to accomplish.

IPv6 a Sweet Spot for Attacks
Insecure Web-Facing Devices
Google Code Developer Site Hacked
Mac Malware Hides File Extension

But the Zmap tool built by University of Michigan researchers has the ability to perform an Internet-wide scan in about 45 minutes while running on an ordinary server. The tool, which the team presented at the USENIX Security conference last week, is open-source and freely available for other researchers to use.

To demonstrate the capabilities of Zmap, the Michigan team, consisting of J. Alex Halderman, an assistant professor, and Eric Wustrow and Zakir Durumeric, both doctoral candidates, ran a scan of the entire IPv4 address space, returning results from more 34 million hosts, or what they estimate to be about 98 percent of the machines in that space.

Zmap specifically bypasses some of the speed obstacles that have slowed down some of the previous large-scale scans of the Internet. The researchers removed some of the considerations for machines on the other end of the scan, for example assuming they sit on well-provisioned networks and can handle fast probes. The result is the tool can scan more than 1,300 times faster than the Nmap scanner.

“While Nmap adapts its transmission rate to avoid saturating the source or target networks, we assume that the source network is well provisioned (unable to be saturated by the source host), and that the targets are randomly ordered and widely dispersed (so no distant network or path is likely to be saturated by the scan). Consequently, we attempt to send probes as quickly as the source’s NIC can support, skipping the TCP/IP stack and generating Ethernet frames directly. We show that Zmap can send probes at gigabit line speed from commodity hardware and entirely in user space,” the researchers said in their paper, “Zmap: Fast Internet-Wide Scanning and Its Security Implications.”

“While Nmap maintains state for each connection to track which hosts have been scanned and to handle timeouts and retransmissions, Zmap forgoes any per-connection state. Since it is intended to target random samples of the address space, Zmap can avoid storing the addresses it has already scanned or needs to scan and instead selects addresses according to a random permutation generated by a cyclic multiplicative group.”

That stateless scanning, the researchers said, allowed Zmap to get both faster response times and better coverage of the target address space. As for practical applications of the tool, the researchers already have found several. In the last year, the team ran 110 separate scans of the entire HTTPS infrastructure, finding 42 million certificates. They only found 6.9 million certificates trusted by browsers. They also found two separate sets of mis-issued SSL certificates, something that’s been a serious problem in recent years.

The Zmap team also wrote a custom probe to look for the UPnP vulnerability that HD Moore of Rapid7 discovered in January. After scanning 15.7 million devices, they found that 3.3 million were still vulnerable. That bug can suffer exploitation with a single packet.

“Given that these vulnerable devices can be infected with a single UDP packet [25], we note that these 3.4 million devices could have been infected in approximately the same length of time — much faster than network operators can reasonably respond or for patches to be applied to vulnerable hosts. Leveraging methodology similar to Zmap, it would only have taken a matter of hours from the time of disclosure to infect every publicly available vulnerable host,” the researchers said in their paper.

Click here for more information, read the white paper, and to downlowad Zmap.

Monday, March 5, 2012 @ 02:03 PM gHale

It has been known embedded web servers are an easy mark when it comes to being able to hack into them.

That knowledge has existed for quite a few years. With that knowledge it may be easy to assume companies would move to protect their systems. Wrong.

Patched Hole Doesn’t Stop Attackers
Malware Shifts from Safe to Malicious
Malware Strains Meld by Accident
Rail Hack: Govt. Works with Industry

Embedded web servers (EWS) are just as easy to access now than they were years ago. With multi-function printers or video conferencing systems, there can be serious data leaks: Printers store scanned, faxed and printed files on hard disks and then disclose these often sensitive documents. Video conferencing hardware allows outsiders to monitor rooms remotely or listen to meetings that are in progress, said Zscaler’s Michael Sutton at the RSA Conference in San Francisco.

Sutton wanted to scan a million web servers and create a catalogue of all the embedded web servers he found. His first tests involved Nmap and the Google Hacking Database (GHDB). However, neither tool proved very successful, as Nmap doesn’t detect enough EWS fingerprints and will, therefore, produce useless device information. Google, on the other hand, doesn’t allow search queries via scripts and would have required time-consuming manual scans.

The security researcher ended up using the Shodan online scanner. Sutton said Shodan has a huge database containing the HTTP header information of EWS systems, allowing such devices to undergo identification with accuracy. The researcher entered typical character strings from the embedded web servers’ web pages into Shodan. To automate the process, Sutton used a Perl script that only sent HEAD queries via Shodan. The script hosted on several EC2 micro instances in Amazon’s cloud which, according to the researcher, only cost a few dollars.

The scan managed to examine the targeted one million web servers in a short time and came up with the following results: Thousands of multi-function devices (more than 3,000 devices by Canon, 1,200 Xerox photocopiers, 20,000 Ricoh devices, among others), 8,000 Cisco IOS devices and almost 10,000 VoIP systems and phones didn’t require any log-in authentication. The latter included 1,100 devices by the German manufacturer Snom. These devices include packet tapping features and PCAP tracing by default. Imported into Wireshark, the trace can convert into a sound file of the telephone conversation.

The majority of the detected devices did not enjoy password protection, Sutton said. This means that any web user can access their web interfaces through a browser and view the documents stored on such photocopiers and printers, forward incoming faxes to an external number, or record scan jobs. With HP devices, a script can carry out such intrusions that every second calls a URL whose only variable is UNIX epoch time, which is easy to figure out.

The scan run by Sutton also identified more than 9,000 video conferencing systems by Polycom and Tandberg (now Cisco). The most likely reason why these devices were openly accessible on the net is they all use the H.323 protocol and require numerous open ports in the firewall. Sutton thinks administrators shy away from this, placing their systems in a DMZ instead. The IT security expert used a video to demonstrate how he managed to monitor the targeted conference rooms via an accessible video conferencing system that provided sound and images.

Sutton’s company is now providing the brEWS scanner free of charge, which specializes in detecting embedded web servers. To avoid placing the weapon into the hands of criminals, scans can only be run in a /24 subnet. At a later stage, the researcher also plans to offer a browser add-on that will allow administrators to examine protected internal networks; this add-on will carry out the scan and then send the results to the brEWS server for identification.

Archived Entries