Home Tags Network Mapping

Tag: Network Mapping

Nmap security scanner gets new scripts, performance boosts

The Nmap Project just released the Holiday Edition of its open source cross-platform security scanner and network mapper, with several important improvements and bug fixes. New features in Nmap 7.40 include Npcap 0.78r5, for adding driver signing updates to work with Windows 10 Anniversary Update; faster brute-force authentication cracking; and new scripts for Nmap Script Engine, the project’s maintainer Fyodor wrote on the Nmap mailing list. The de facto standard network mapping and port scanning tool, Nmap (Network Mapper) Security Scanner is widely used by IT and security administrators for network mapping, port-scanning, and network vulnerability testing. Administrators can run Nmap against the network to find open ports, determine what hosts are available on the network, identify what services those hosts are offering, and detect any network information leaked, such as the type of packet filters and firewalls in use. With a network map, administrators can spot unauthorized devices, ports that shouldn’t be open, or users running unauthorized services. The Nmap Scripting Engine (NSE) built into Nmap runs scripts to scan for well-known vulnerabilities in the network infrastructure. Nmap 7.40 includes 12 new NSE scripts, bringing the total to 552 scripts, and makes several changes to existing scripts and libraries. The ssl-google-cert-catalog script has also been removed from NSE, since Google is no longer supporting the service. Known Diffie-Hellman parameters for haproxy, postfix, and IronPort have been added to ssl-dh-params script in NSE. A bug in mysql.lua that caused authentication failures in mysql-brute and other scripts (affecting Nmap 7.52Beta2 and later) have been fixed, along with a crash issue in smb.lua when using smb-ls. The http.lua script now allows processing HTTP responses with malformed header names. The script http-default-accounts, which tests default credentials used by a variety of web applications and devices against a target, adds 21 new fingerprints and changes the way output is displayed. The script http-form-brute adds content management system Drupal to the set of web applications it can brute force. The brute.lua script has been improved to use resources more efficiently. New scripts added to NSE include fingerprint-strings, to print the ASCII strings found in service fingerprints for unidentified services; ssl-cert-intaddr, to search for private addresses in TLS certificate fields and extensions; tso-enum, to enumerate usernames for TN3270 Telnet emulators; and tso-brute, which brute-forces passwords for TN3270 Telnet services. Nmap 7.40 adds 149 IPv4 operating system fingerprints, bringing the current total to 5,336 OS fingerprints. These fingerprints let Nmap identify the operating system installed on the machine being scanned, and the list includes a wide range of hardware from various vendors. The latest additions are Linux 4.6, macOS 10.12 Sierra, and NetBSD 7.0. The Amazon Fire OS was removed from the list of OS fingerprints because “it was basically indistinguishable from Android.” Nmap also maintains a list of service fingerprints so that it can easily detect different types of services running on the machine. Nmap now detects 1,161 protocols, including airserv-ng, domaintime, rhpp, and usher. The fingerprints help speed up overall scan times. Nmap 7.40 also adds service probe and UDP payload for Quick UDP Internet Connection, a secure transport developed by Google that is used with HTTP/2. A common issue when running a network scan is the time it takes to complete when some of the ports are unresponsive. A new option—defeat-icmp-ratelimit—will label unresponsive ports as “closed|filtered” in order to reduce overall UDP scan times. Those unresponsive ports may be open, but by marking the port this way, administrators know those ports require additional investigation. Source code and binary packages for Linux, Windows, and MacOS are available from the Nmap Project page.

Microsoft’s ‘Samaritan’ refuses help to hackers doing Win 10 recon

'SAMRi10' script hides the creds hackers crave, making box-to-box jumps harder Microsoft hacker Itai Grady has created a tool to help protect blackhat scouts from stealing Windows credentials, an effort they hope will make network compromises harder to achieve. The SAMRi10 PowerShell script (the pair say it's pronounced as samaritan) eliminates the easy username information hackers seek in initial reconnaissance of Windows boxes. It changes the default permissions for remote Windows Security Account Manager (SAM) access on Windows 10 and Windows Server 2016 in a bid to limit the amount of information hackers can glean. Grady (@ItaiGrady) says the Windows 10 tool will help increase the cost and complexity of the first step in the offensive hacking kill chain. "Once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users. "Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed [in terms of] password complexity and change policy, and less monitored [with] no traffic and logs besides the specific computer. "Querying the Windows Security Account Manager remotely via the SAM-Remote protocol against their victim’s domain machines allows the attackers to get all domain and local users with their group membership and map possible routes within the victim’s network." Frameworks like Veris Group's BloodHound automates that network mapping, elevating the risk by exposed credentials. Good samaritan: Admins okay, unauth users denied.
Images: Microsoft. SAMRi10 is not known to work on any platform other than Microsoft's tougher Windows 10 platform, which has about 22 percent market share. The researchers have outlined their script's functionality and use in full, and encourage all security administrators to review it. ® Sponsored: Customer Identity and Access Management