CAPACIDAD FINANCIERA - REQUISITOS ESPECÍFICOS DE ADMISIBILIDAD

2. REQUISITOS ESPECÍFICOS DE ADMISIBILIDAD

2.1. CAPACIDAD FINANCIERA

HEAD / HTTP/9.3 OPTIONS / HTTP/1.0 HEAD / HTTP/1.0

Internal Footprinting

The Internal Footprinting phase of Intelligence Gathering involves gathering response results from a target based upon direct interaction from an internal perspective. The goal is to gather as much information about the target as possible.

Active Footprinting

The active footprinting phase of Intelligence Gathering involves gathering response results from a target based upon direct interaction.

Ping Sweeps

Active footprinting begins with the identification of live systems. This is usually performed by conducting a Ping sweep to determine which hosts respond.

Nmap (Windows/Linux)

Nmap ("Network Mapper") is the de facto standard for network auditing/scanning. Nmap runs on both Linux and Windows. Nmap is available in both command line and GUI versions. For the sake of this document, we will only cover the command line.

Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks

-iR <num hosts>: Choose random targets

--exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

-sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan

-Pn: Treat all hosts as online -- skip host discovery

-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping

-n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver

--traceroute: Trace hop path to each host SCAN TECHNIQUES:

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan

-sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan

-b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER:

-p <port ranges>: Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 -F: Fast mode - Scan fewer ports than the default scan

-r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio> SERVICE/VERSION DETECTION:

-sV: Probe open ports to determine service/version info

--version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2)

--version-all: Try every single probe (intensity 9)

--version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN:

-sC: equivalent to --script=default

--script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories

--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-trace: Show all data sent and received

--script-updatedb: Update the script database. OS DETECTION:

-O: Enable OS detection

--osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster)

--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <numprobes>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time.

--max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long

--scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per second --max-rate <number>: Send packets no faster than <number> per second FIREWALL/IDS EVASION AND SPOOFING:

-f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address

-e <iface>: Use specified interface

-g/--source-port <portnum>: Use given port number --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field

--badsum: Send packets with a bogus TCP/UDP/SCTP checksum OUTPUT:

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once

-v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports

--packet-trace: Show all packets sent and received

--iflist: Print host interfaces and routes (for debugging)

--log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan

--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC:

-6: Enable IPv6 scanning

-A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location

--send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged

--unprivileged: Assume the user lacks raw socket privileges -V: Print version number

-h: Print this help summary page. EXAMPLES:

nmap -v -A scanme.nmap.org

nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -Pn -p 80

SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

Nmap has dozens of options available. Since this section is dealing with port scanning, we will focus on the commands required to perform this task. It is important to note that the commands utilized depend mainly on the time and number of hosts being scanned. The more hosts or less time that you have to perform this tasks, the less that we will interrogate the host. This will become evident as we continue to discuss the options.

To perform a ping sweep you would want to utilize the following command:

nmap -sn <client ip range>/<CIDR> or <Mask>

nmap -sn 10.25.0.0/24

Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-22 22:58 Eastern Daylight Time Nmap scan report for 10.25.0.1

Host is up (0.0030s latency).

MAC Address: C0:C1:C0:09:5C:16 (Unknown) Nmap scan report for 10.25.0.111

Host is up (0.013s latency).

MAC Address: A8:E3:EE:97:3D:46 (Sony Computer Entertainment) Nmap scan report for 10.25.0.113

Host is up.

Nmap scan report for 10.25.0.119 Host is up (0.018s latency).

MAC Address: 00:14:6C:B4:3A:93 (Netgear)

Nmap done: 256 IP addresses (4 hosts up) scanned in 6.19 seconds

Alive6 (Linux)

Alive6, which is part of the THC IPv6 Attack Toolkit, offers the most effective mechanism for detecting all IPv6 systems.

Alive6 offers numerous options, but can be simply run by just specifying the interface. This returns all the IPv6 systems that are live on the local-link.

Screenshot Here

Port Scanning

Nmap (Windows/Linux)

Nmap 5.51 ( http://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks

-iR <num hosts>: Choose random targets

--exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

-sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan

-Pn: Treat all hosts as online -- skip host discovery

-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping

-n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver

--traceroute: Trace hop path to each host SCAN TECHNIQUES:

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan

-sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan

-b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER:

-p <port ranges>: Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 -F: Fast mode - Scan fewer ports than the default scan

-r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio> SERVICE/VERSION DETECTION:

-sV: Probe open ports to determine service/version info

--version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2)

--version-all: Try every single probe (intensity 9)

--version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN:

-sC: equivalent to --script=default

--script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories

--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-trace: Show all data sent and received

--script-updatedb: Update the script database. OS DETECTION:

-O: Enable OS detection

--osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively

Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster)

--max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long

-f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address

-e <iface>: Use specified interface

--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once

--packet-trace: Show all packets sent and received

--iflist: Print host interfaces and routes (for debugging)

--log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan

-6: Enable IPv6 scanning

-A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location

--send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged

--unprivileged: Assume the user lacks raw socket privileges -V: Print version number

-h: Print this help summary page. EXAMPLES:

nmap -v -A scanme.nmap.org

nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -Pn -p 80

SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

Based on IP set being assessed, you would want to scan the both TCP and UDP across port range to 1-65535. The command that will be utilized is as follows:

nmap -A -PN -sU -sS -T2 -v -p 1-65535 <client ip range>/<CIDR> or <Mask> -oA NMap_FULL_<client ip range>

nmap -A -PN -sU -sS -T2 -v -p 1-65535 client.com -oA NMap_FULL_client

NSE: Loaded 57 scripts for scanning.

Initiating Parallel DNS resolution of 1 host. at 22:27

Completed Parallel DNS resolution of 1 host. at 22:27, 0.10s elapsed Initiating SYN Stealth Scan at 22:27

Scanning client.com (74.117.116.73) [65535 ports] Discovered open port 80/tcp on 74.117.116.73

On large IP sets, those greater than 100 IP addresses do not specify a port range. The command that will be utilized is as follows:

nmap -A -O -PN <client ip range>/<CIDR> or <Mask> -oA NMap_<client ip range>

nmap -A -O -PN client.com -oA NMap_client

Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-22 22:37 Eastern Daylight Time Nmap scan report for client.com (74.117.116.73)

Host is up (0.13s latency).

rDNS record for 74.117.116.73: 74-117-116-73.parked.com Not shown: 999 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.3 ((CentOS)) | http-robots.txt: 2 disallowed entries

|_/click.php /ud.php |_http-title: client.com

|_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-favicon: Parked.com domain parking

Warning: OSScan results may be unreliable because we could not find at least 1 o pen and 1 closed port

Device type: general purpose

Running (JUST GUESSING): Linux 2.6.X (92%), OpenBSD 4.X (88%), FreeBSD 6.X (88%)

It should be noted that Nmap has limited options for IPv6. These include TCP connect (-sT), Ping scan (-sn), List scan (-sL) and version detection.

nmap -6 -sT -P0 fe80::80a5:26f2:8db7:5d04%12

Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-22 22:42 Eastern Daylight Time Nmap scan report for lancelot (fe80::80a5:26f2:8db7:5d04)

Host is up (1.0s latency). Not shown: 988 closed ports PORT STATE SERVICE 135/tcp open msrpc 445/tcp open microsoft-ds 554/tcp open rtsp 2869/tcp open icslap 3389/tcp open ms-term-serv 5000/tcp open upnp 5001/tcp open commplex-link 5002/tcp open rfe 5003/tcp open filemaker 5004/tcp open avt-profile-1 5357/tcp open wsdapi 10243/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 287.05 seconds

SNMP Sweeps

SNMP sweeps are performed too as they offer tons of information about a specific system. The SNMP protocol is a stateless, datagram oriented protocol. Unfortunately SNMP servers don't respond to requests with invalid

community strings and the underlying UDP protocol does not reliably report closed UDP ports. This means that "no response" from a probed IP address can mean either of the following:

Machine unreachable SNMP server not running invalid community string

the response datagram has not yet arrived

SNMPEnum (Linux)

SNMPEnum is a perl script that sends SNMP requests to a single host, then waits for the response to come back and logs them.

Screenshot Here

Metasploit

Active footprinting can also be performed to a certain extent through Metasploit. Please refer to the Metasploit Unleashed (http://www.offensive-security.com/metasploit-unleashed/Information_Gathering) course for more information on this subject.

Zone Transfers

DNS zone transfer, also known as AXFR, is a type of DNS transaction. It is a mechanism designed to replicate the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavors, full (AXFR) and incremental (IXFR). There are numerous tools available to test the ability to perform a DNS zone transfer. Tools commonly used to perform zone transfers are host, dig and nmap.

Host

host <domain> <DNS server>

Dig

dig @server domain axfr

SMTP Bounce Back

SMTP bounce back, also called a Non-Delivery Report/Receipt (NDR), a (failed) Delivery Status Notification (DSN) message, a Non-Delivery Notification (NDN) or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another message about a delivery problem. This can be used to assist an attacker in fingerprint the SMTP server as SMTP server information, including software and versions, may be included in a bounce message.

Reverse DNS

must have a PTR (reverse) DNS record for it to resolve a name from a provided IP address. If it does resolve then the results are returned. This is usually performed by testing the server with various IP addresses to see if it returns any results.

Banner Grabbing

Banner Grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports. Banner grabbing is used to identify network the version of applications and operating system that the target host are running.

Banner grabbing is usually performed on Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, nmap, netcat and netca6 (IPv6).

HTTP JUNK / HTTP/1.0 HEAD / HTTP/9.3 OPTIONS / HTTP/1.0 HEAD / HTTP/1.0 httprint

httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is very easy to add signatures to the signature database.

Screenshot Here

VoIP mapping

VoIP mapping is where we gather information about the topology, the servers and the clients. The main goal here is to find live hosts, PBX type and version, VoIP servers/gateways, clients (hardware and software) types and versions. The majority of techniques covered here assume a basic understanding of the Session Initiation

Protocol (SIP). There are several tools available to help us identify and enumerate VoIP enabled devices. SMAP

is a tool which is specifically designed to scan for SIP enabled devices by generating SIP requests and awaiting responses. SMAP usage is as follows:

Screenshot Here

SIPScan is another scanner for sip enabled devices that can scan a single host or an entire subnet.

Screenshot Here

Extensions are any client application or device that initiates a SIP connection, such as an IP phone, PC

softphone, PC instant messaging client, or mobile device. The goal is to identify valid usernames or extensions

In document ADENDA 010 LICITACIÓN L-CEEC (página 41-44)