This is just a quick shout out to Michel Chamberland over at the SecurityWire blog. He wrote a <a href=http://blog.securitywire.com/2009/10/10/nmap-nse-script-to-enumerate-iscsi-targets/>Script to enumerate iSCSI Targets</a>. Unfortunately, I don’t have any iSCSI to test on, but if you do he’d love to hear from you!
Ron
Continue readingHey all,
I’ll be presenting at Toorcon San Diego in a couple week (finalized lineup, my talk!).
Continue readingHi all,
I wrote a blog last week about scanning for Microsoft FTP with Nmap. In some situations the script I linked to wouldn’t work, so I gave it an overhaul and it should work nicely now.
Continue readingGreetings!
I found this excellent writeup of a Web-server botnet on Slashdot this weekend. Since it sounded like just the thing for Nmap to detect, I wrote a quick script!
Continue readingHello once again!
I just finished updating my smb-check-vulns.nse Nmap script to check for the recent SMBv2 vulnerability, which had a proof-of-concept posted on full-disclosure.
WARNING: This script will cause vulnerable systems to bluescreen and restart. Do NOT run this in a production environment, unless you like angry phonecalls. You have been warned!
Continue readingI was going to do a post about Nmap today, but since their svn is having some issues, you’re going to get something a little more fun (in my opinion)!
My friend snapped this picture in Vancouver, BC near Stanley Park (the picture is geocoded, so check out the Exif data if you want to know exactly where).
Click for a bigger version.
Hi all,
It’s been awhile since my last post, but don’t worry! I have a few lined up, particularly about scanning HTTP servers with Nmap. More on that soon!
In the meantime, I wanted to direct your attention to <a href=’http://blog.rootshell.be/2009/09/01/detecting-vulnerable-iis-ftp-hosts-using-nmap/’‘>This post (update here) about finding potentially vulnerable Microsoft FTP servers.
Continue readingI’m just going to quote my Slashdot post inline.. check out the links for all the nitty gritty details. The bottom line is that 5.00 is awesome, and includes everything I’ve written as yet – download it! :)
Continue readingHi all,
I had the weirdest thing happen to me today, and I couldn't resist sharing it. If you're looking for security tips or tricks, move along. If you want a funny story (that sort of involves security), stick around!
Continue readingHey all,
For my SANS GPEN Gold certification (first Gold-certified analyst for GPEN – go me!) I wrote a paper on my SMB scripts for Nmap. The paper is titled “Scanning Windows Deeper With the Nmap Scanning Engine”. I started writing it a few months ago, and collaborated with Fyodor in the early stages. Hopefully it’s a useful guide!
I talk a bit about the theory and protocols behind the scripts, then dive into a few of the more interesting ones and talk about how they work and how they can be used.
Let me know what you think!
Continue readingHey all,
With the upcoming release of Nmap 4.85, Brandon Enright posted some comments on random Nmap thoughts. One of the things he pointed out was that people hadn’t heard of nbstat.nse! Since I love showing off what I write, this blog was in order.
Continue readingAhoy! My name is Andrew and I’ve been playing with the recent IIS WebDAV authentication bypass vulnerability (CVE-2009-1676) and helping Ron with writing the nmap detection script (http-iis-webdav-vuln.nse) and testing it in the lab. Ron is in a meeting today so I thought I’d jump in where he left off and post a bit about how to detect if WebDAV is enabled and how to actually exploit a folder once you’ve determined it is vulnerable.
Continue readingGreetings!
This morning I heard (from the security-basics mailing list, of all places) that there’s a zero-day vulnerability going around for WebDAV on Windows 2003. I always like a good vulnerability early in the week, so I decided to write an Nmap script to find it!
Continue readingI performed all of this to learn more about data exfiltration, remote control, etc… over a tightly controlled corp environment. It was depressing actually…. It’s far too easy to gain control of a corp network even one that is conscientious. This work is built on the info at metasploit.com.
Oh, let me just say thanks for Metasploit. Words fail to describe how nice this project is. Thanks guys.
So, I want to share what I’ve learned and offer some thoughts for pondering.
Continue readingIn case you haven’t heard, Fyodor released Nmap 4.85beta9 this week. This is the first release in awhile that wasn’t related to my code (or, most properly, mistakes :) ). It looks like the new stable version will be here soon, so give this one a shot and report your bugs. Here’s the download page.
Continue readingHi everybody,
With the help of Symantec’s Security Intelligence Analysis Team, I’ve put together a script that’ll detect Conficker (.C and up) based on its peer to peer ports. The script is called p2p-conficker.nse, and automatically runs against any Windows system when scripts are being used:
nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args=safe=1 -T4 -p445 <host>
or
sudo nmap -sU -sS --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args=safe=1 -T4 -p U:137,T:139 <host>
See below for more information!
Or, if you just want to scan your network fast, give this a shot:
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args=checkconficker=1,safe=1 -T4 <host>
Continue reading
Morning, all!
Last night Fyodor and crew rolled out Nmap 4.85beta7. This was because some folks from the Honeynet Project discovered a false negative (showed no infection where an infection was present), which was then confirmed by Tenable. We decided to be on the safe side, and updated our checks.
Continue readingI’m going to start off this blog by wishing a happy birthday to a very important person – me. :)
Now, onto the content!
PsTools is a suite of tools developed by Sysinternals (now Microsoft). They’re a great complement to any pen test, and many of my Nmap scripts are loosely based on them. As good as they are, they aren’t without their quirks!
Here are a few topics worth discussing:
Most (possibly all) of the PsTools use standard Windows functions. That makes life easy – we can expect PsTools to act the same way other remote functions work. If we know how!
Continue readingUsing Nmap to scan for the famous Conficker worm.
Continue readingToday, I’m going to share some knowledge and techniques on bruteforcing Windows passwords. Hopefully, some of you have thought about this and can give me even more advice. If you know anything, post it!
Continue reading