Network.Security.Tools [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Network.Security.Tools [Electronic resources] - نسخه متنی

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Table of Contents

Copyright

Preface

Audience

Assumptions This Book Makes

Contents of This Book

Conventions Used in This Book

Using Code Examples

We'd Like to Hear from You

Safari Enabled

Acknowledgments

Part I: Modifying and Hacking Security Tools

Chapter 1. Writing Plug-ins for Nessus

Section 1.1. The Nessus Architecture

Section 1.2. Installing Nessus

Section 1.3. Using Nessus

Section 1.4. The NASL Interpreter

Section 1.5. Hello World

Section 1.6. Datatypes and Variables

Section 1.7. Operators

Section 1.8. if...else

Section 1.9. Loops

Section 1.10. Functions

Section 1.11. Predefined Global Variables

Section 1.12. Important NASL Functions

Section 1.13. Nessus Plug-ins

Chapter 2. Developing Dissectors and Plug-ins for the Ettercap Network Sniffer

Section 2.1. Installing and Using Ettercap

Section 2.2. Writing an Ettercap Dissector

Section 2.3. Writing an Ettercap Plug-in

Chapter 3. Extending Hydra and Nmap

Section 3.1. Extending Hydra

Section 3.2. Adding Service Signatures to Nmap

Chapter 4. Writing Plug-ins for the Nikto Vulnerability Scanner

Section 4.1. Installing Nikto

Section 4.2. Using Nikto

Section 4.3. Nikto Under the Hood

Section 4.4. Existing Nikto Plug-ins

Section 4.5. Adding Custom Entries to the Plug-in Databases

Section 4.6. Using LibWhisker

Section 4.7. Writing an NTLM Plug-in for Brute-Force Testing

Section 4.8. Writing a Standalone Plug-in to Attack Lotus Domino

Chapter 5. Writing Modules for the Metasploit Framework

Section 5.1. Introduction to MSF

Section 5.2. Overview of Stack Buffer Overflows

Section 5.3. Writing Exploits for MSF

Section 5.4. Writing a Module for the MnoGoSearch Overflow

Section 5.5. Writing an Operating System Fingerprinting Module for MSF

Chapter 6. Extending Code Analysis to the Webroot

Section 6.1. Attacking Web Applications at the Source

Section 6.2. Toolkit 101

Section 6.3. PMD

Section 6.4. Extending PMD

Part II: Modifying and Hacking Security Tools

Chapter 7. Fun with Linux Kernel Modules

Section 7.1. Hello World

Section 7.2. Intercepting System Calls

Section 7.3. Hiding Processes

Section 7.4. Hiding from netstat

Chapter 8. Developing Web Assessment Tools and Scripts

Section 8.1. Web Application Environment

Section 8.2. Designing the Scanner

Section 8.3. Building the Log Parser

Section 8.4. Building the Scanner

Section 8.5. Using the Scanner

Section 8.6. Complete Source Code

Chapter 9. Automated Exploit Tools

Section 9.1. SQL Injection Exploits

Section 9.2. The Exploit Scanner

Section 9.3. Using the Scanner

Chapter 10. Writing Network Sniffers

Section 10.1. Introduction to libpcap

Section 10.2. Getting Started with libpcap

Section 10.3. libpcap and 802.11 Wireless Networks

Section 10.4. libpcap and Perl

Section 10.5. libpcap Library Reference

Chapter 11. Writing Packet-Injection Tools

Section 11.1. Introduction to libnet

Section 11.2. Getting Started with libnet

Section 11.3. Advanced libnet Functions

Section 11.4. Combining libnet and libpcap

Section 11.5. Introducing AirJack

Colophon

توضیحات
افزودن یادداشت جدید









3.2. Adding Service Signatures to Nmap



Recent versions of the popular port scanner Nmap can detect the type
and version of services running on a network, as
illustrated in Example 3-2.



Example 3-2. Example Nmap version scan


>nmap -sV 127.0.0.1  
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2003-07-05 17:12 EDT
Interesting ports on localhost (127.0.0.1):
(The 1658 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 3.8.1p1 (protocol 2.0)
Nmap run completed -- 1 IP address (1 host up) scanned in 1.104 seconds


This scan is implemented as a series of probes and responses in the
file
nmap-service-probes. This file defines the probes that will be
sent to the service to elicit some response, as well as a series of
regular
expressions against which to match responses to determine which
services are running and, where possible, their
versions.


At a high level, the version-scanning methodology follows this
process:



If the port is a TCP port, connect to it and listen. This is called
the NULL probe. Many services will return a banner on connection. If
a match is made, processing stops.



If no match is given, or if the protocol is UDP, probes defined in
the nmap-service-probes file will be attempted
if the protocol and the port ranges in the file match. If a response
matching a probe is found, processing stops. If a soft match occurs
(whereby a service is recognized, but not its type or version),
follow-on probes will be limited to relevant ones.



If no match is found, each probe in the
nmap-service-probes file will be tried,
regardless of the ports on which the service usually runs. This will
be limited where a soft match has already occurred.



If SSL was found, Nmap will connect using SSL (if available) to run
the version-detection process again.




If a service responds to a probe sent
during this process, but Nmap does not recognize the response, Nmap
prints a fingerprint for the service that you can use to report the
signature to the Nmap developers, as shown in Example 3-3. You can use this, together with the version
and service information, to include a signature that recognizes this
service in the nmap-service-probes file in the
future.



Example 3-3. Nmap unrecognized service


>nmap -sV -p 4738 127.0.0.1
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2003-07-05 17:39 EDT
Interesting ports on localhost (127.0.0.1):
PORT     STATE SERVICE VERSION
4738/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, 
please submit the following fingerprint at http://www.insecure.org/cgi-bin/
servicefp-submit.cgi :
SF-Port4738-TCP:V=3.50%D=7/5%Time=40E9CA80%P=i686-pc-linux-gnu%r(NULL,59,"
SF:Login\x20with\x20USER\x20<name>\x20followed\x20by\x20PASS\x20<password>
SF:\x20or\x20ANON\r\nCheck\x20privileges\x20with\x20PRIVS\r\n")%r(GenericL
SF:ines,59,"Login\x20with\x20USER\x20<name>\x20followed\x20by\x20PASS\x20<
SF:password>\x20or\x20ANON\r\nCheck\x20privileges\x20with\x20PRIVS\r\n")%r
SF:(GetRequest,59,"Login\x20with\x20USER\x20<name>\x20followed\x20by\x20PA
SF:SS\x20<password>\x20or\x20ANON\r\nCheck\x20privileges\x20with\x20PRIVSSF:r\n")
%r(HTTPOptions,59,"Login\x20with\x20USER\x20<name>\x20followed\x20 
SF:by\x20PASS\x20<password>\x20or\x20ANON\r\nCheck\x20privileges\x20with\x
<cut>
Nmap run completed -- 1 IP address (1 host up) scanned in 75.504 seconds


At this point we have several options:



Submit the signature to the URL provided and wait for the next
version of Nmap. If responses were received from the probes sent, and
the service is something that could be expected to be running on
someone else's environment, this might be the best
choice.



Create a working match and/or probe statement, and submit that to
Fyodor at

3.2.1. The nmap-service-probes File



The keywords contained in
the nmap-service-probes file are listed in Table 3-5.



Table 3-5. nmap-service-probes keywords


Keyword




Format



Probe



Probe <protocol> <probe name> <probe string>



match



match <service> <pattern> [version info]



softmatch



softmatch <service> <pattern>



ports



ports <portlist>



sslports



sslports <portlist>



Totalwaitms



totalwaitms <milliseconds>




3.2.1.1 Probes



A probe entry consists of the values shown
in Table 3-6.



Table 3-6. Probe values


Parameter




Description




Protocol




TCP or UDP.




Probe name




Name of the probe (human-readable).




Probe string




String starting with a q, then a delimiter that
will start and end the string sent. The string can consist of
printable characters, as well as quoted unprintable characters and
control characters in standard C or Perl notation.



Here are some example probe strings:




Probe TCP NULL q||





Send nothing, waiting the amount of time specified in
totalwaitms.





Probe TCP GenericLines q|\r\n\r\n|





Send carriage return, newline, carriage return, newline.





Probe UDP DNSStatusRequest q|\0\0\x10\0\0\0\0\0\0\0\0\0|





Send the binary string 0x00
0x00 0x10
0x00 0x00
0x00 0x00
0x00 0x00
0x00 0x00 0x00.





3.2.1.2 Matches



A match entry consists of the values defined in
Table 3-7.



Table 3-7. Match values


Parameter




Description




Service




Name of the service the pattern matches.




Pattern




A Perl-compatible regular expression to match the expected response
for this service. This is of the format
m/regex/opts.




Version info




A field specifying additional version information. This is of the
format v/product
name/version/info/. This can contain variables
matched from the matching pattern, such as $1,
$2, where the matching pattern contains (
) matches. Any or all entries can be empty.



Nmap uses the Perl Compatible Regular
Expressions (libpcre) library for evaluating
regular expressions. Perl regular expressions are documented at
http://www.perldoc.com/perl5.8.0/pod/perlrel.


Here are some example match strings:




match ssh m/^SSH-([.\d]+)-OpenSSH[_-](\S+)/ v/OpenSSH/$2/protocol $1/





Match strings such as SSH-1.5-OpenSSH-3.4p1,
reading the version string (3.4p1) and protocol (1.5) into the
$2 and $1 variables,
respectively.





match ftp m/^220[- ].*FTP server \(Version (wu-[-.\w]+)/s v/WU-FTPD/$1//





Match strings such as 220 FTP
server (Version
wu-2.6.0) and extract the version wu-2.6.0.





match mysql m/^.\0\0\0\n(4\.[-.\w]+)\0...\0/s v/MySQL/$1//





Match the version of MySQL 4.x from the binary response.





3.2.1.3 Soft matches



A soft match occurs when a
service can be identified, but no additional information can be
derived. A soft-match entry consists of the values defined in Table 3-8.



Table 3-8. Soft-match values


Parameter




Description




Service




Name of the service the pattern matches.




Pattern




A Perl-compatible regular expression to match the expected response
for this service. This is of the format
m/regex/opts.



Here are some example soft-match strings:



softmatch ftp m/^220[- ].*ftp server.*\r\n/i



softmatch imap m/^\* OK [-.\w,:+ ]+imap[-.\w,:+
]+\r\n$/i




3.2.1.4 ports



ports is a comma-separated list of ports, as
well as port ranges (e.g., 35067-35090) on which the service will
commonly run. This is used to ensure that probing is done
efficiently, and therefore the ports entry should
follow the Probe entry in
nmap-service-probes.



3.2.1.5 sslports



sslports is a
comma-separated list of ports, as well as port ranges (e.g.,
55522-55525) on which the service will commonly run over SSL. This is
used to ensure that probing is done efficiently, and therefore the
sslports entry should follow the
Probe and ports enTRies in
nmap-service-probes.



3.2.1.6 totalwaitms



totalwaitms
is used to specify the timeout for a
Probe. It is not needed unless the service you are
probing does not respond immediately. If it is used, it should follow
the Probe entry.



/ 85