|
Ihr Spezialist für komplexe IT-Systeme
|
|
Ihr Spezialist für komplexe IT-Systeme
|
The port scanner nmap [Nmap] is on his best way to become a standard unix tool. nmap is included in most modern Linux distributions. nmap has a lot of nice features, but for our purposes we just need some basic functions from nmap.
First let us start with an classical port scan of the OCS system:
[frank@w0001 frank]$ nmap -p- 192.168.74.10
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-05 14:48 CET
Interesting ports on s0002.berger.com (192.168.74.10):
(The 65467 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
110/tcp open pop-3
119/tcp open nntp
139/tcp open netbios-ssn
143/tcp open imap
389/tcp open ldap
513/tcp open login
514/tcp open shell
636/tcp open ldapssl
993/tcp open imaps
995/tcp open pop3s
1521/tcp open oracle
1522/tcp open rna-lm
1810/tcp open unknown
1811/tcp open unknown
2100/tcp open unknown
2601/tcp open zebra
4000/tcp open remoteanything
4001/tcp open unknown
6000/tcp open X11
7777/tcp open unknown
7778/tcp open unknown
7779/tcp open unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 13.163 seconds
[frank@w0001 frank]$
The command line option -p- specifies that we want to scan the whole range of TCP/IP ports. That's a good choice since most Oracle ports are above 1024 and are also not very common in other environments, so nmap would not look after the ports we are interested in.
Looking at the results of our first scan you can also see a big limitation of traditional port scans. You may get a huge list of open ports, but you have no glue which application is behind them. For well known ports you can make good guesses (like for the ports 25 (SMTP), 80 (HTTP) or 110 (POP3)). But please remember, that's just a guess! If you are a funny guy you can reconfigure the ports and use port 80 for your SSH and 22 for HTTP.
The latest versions of nmap (I used version 3.48) include a new feature. With the command line option -sV nmap tries to fingerprint the application, which is listening on a given port. For many applications it is possible to retrieve information about the vendor and the used version of the application.
So let us try to fingerprint our OCS installation:
[frank@w0001 frank]$ nmap -sV -p- 192.168.74.10
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-05 15:03 CET
Interesting ports on s0002.berger.com (192.168.74.10):
(The 65473 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp
22/tcp open ssh OpenSSH 3.1p1 (protocol 1.99)
25/tcp open smtp
110/tcp open pop-3?
119/tcp open nntp?
139/tcp open netbios-ssn?
143/tcp open imap?
389/tcp open ldap (Anonymous bind OK)
513/tcp open login?
514/tcp open shell?
636/tcp open ldapssl?
993/tcp open imaps?
995/tcp open pop3s?
1521/tcp open oracle?
1522/tcp open rna-lm?
1810/tcp open unknown
1811/tcp open unknown
2100/tcp open ftp
4000/tcp open remoteanything?
4443/tcp open ssl/unknown
4445/tcp open ssl/http HTTP Server Oracle9iAS/9.0.2.3.0 (Oracle9iAS-Web-Cache)
4446/tcp open ssl/unknown
6000/tcp open X11 (access denied)
7778/tcp open http HTTP Server Oracle9iAS/9.0.2.3.0 (Oracle9iAS-Web-Cache)
7779/tcp open unknown
9 services unrecognized despite returning data. If you know the service/version,
please submit the following fingerprints at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=3.48%D=11/5%Time=3FA9032C%r(NULL,32,"220\x20Oracle\x20Inte
SF:rnet\x20File\x20System\x20FTP\x20Server\x20ready\r\n")%r(GenericLines,5
SF:3,"220\x20Oracle\x20Internet\x20File\x20System\x20FTP\x20Server\x20read
SF:y\r\n200\x20Connection\x20closed,\x20good\x20bye\r\n")%r(Help,57,"220\x
SF:20Oracle\x20Internet\x20File\x20System\x20FTP\x20Server\x20ready\r\n500
SF:\x20'HELP':\x20command\x20not\x20understood\.\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port25-TCP:V=3.48%D=11/5%Time=3FA9032C%r(NULL,57,"220\x20s0002\.berger\
SF:.com\x20ESMTP\x20Oracle\x20Email\x20Server\x20SMTP\x20Inbound\x20Server
SF:\t9\.0\.4\.0\.0\x20\t\x20\x20Ready\r\n")%r(Help,17D,"220\x20s0002\.berg
SF:er\.com\x20ESMTP\x20Oracle\x20Email\x20Server\x20SMTP\x20Inbound\x20Ser
SF:ver\t9\.0\.4\.0\.0\x20\t\x20\x20Ready\r\n214-2\.3\.0\x20This\x20is\x20O
SF:racle\x20eMail\x20SMTP\x20Server\n214-2\.3\.0\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20HELO\x20\x20\x20\x20EHLO\x20\x20\x20\x20MAIL\x20\x20\x20\x20R
SF:CPT\x20\x20\x20\x20DATA\n214-2\.3\.0\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0RSET\x20\x20\x20\x20NOOP\x20\x20\x20\x20QUIT\x20\x20\x20\x20HELP\x20\x
SF:20\x20\x20DSN\n214-2\.3\.0\x20For\x20more\x20info\x20use\x20\"HELP\x20<
SF:topic>\"\.\n214-2\.3\.0\x20For\x20local\x20information\x20send\x20email
SF:\x20to\x20Postmaster\x20at\x20your\x20site\.\n214\x202\.3\.0\x20End\x20
SF:of\x20HELP\x20info\n");
Nmap run completed -- 1 IP address (1 host up) scanned in 209.025 seconds
[frank@w0001 frank]$
Interesting, we get more information. But uhm, what's that? The ports form our OCS installation have not all been identified (like port 1810 for the Oracle Enterprise Manager Website). What's the problem? Well, nmap uses its own database of stored fingerprints. And please remember not all nmap-hackers have Oracle software running on their machines. So it is possible that there are no fingerprints in the database for your product.
That's the reason why you may get a lot of new fingerprints at the end of the nmap output. I will explain later in this chapter how to extend the fingerprint-database.
During my work with nessus I found out that you can abuse the Oracle FTP-Servers (IFS and XML DB) for so called FTP bounce attacks. FTP bounce attacks make it possible to look behind a firewall, so you use the FTP-Server as relay between you, a firewall and some internal network.
This fact can be used for many things. One of the interesting possibilities is to use the Oracle FTP server together with nmap to scan an internal network.
Lets look at this nmap command:
[frank@w0001 frank]$ nmap -b anonymous:foo@s0002.berger.com \
-P0 -p 25,110,1521,1522 192.168.74.10
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-05 15:26 CET
Interesting ports on s0002.berger.com (192.168.74.10):
PORT STATE SERVICE
25/tcp open smtp
110/tcp open pop-3
1521/tcp open oracle
1522/tcp open rna-lm
Nmap run completed -- 1 IP address (1 host up) scanned in 9.621 seconds
[frank@w0001 frank]$
There is another commonly used tool called amap [Amap] which is also used to identify applications listening behind TCP/IP ports.
[frank@w0001 amap-4.3]$ ./amap 192.168.74.10 1521 1522
amap v4.3 (www.thc.org) started at 2003-11-05 15:36:00 - APPLICATION MAP mode
Protocol on 192.168.74.10:1521/tcp matches oracle-tns-listener
Protocol on 192.168.74.10:1522/tcp matches oracle-tns-listener
Unidentified ports: none.
amap v4.3 finished at 2003-11-05 15:36:06
[frank@w0001 amap-4.3]$
I am using amap to cross-check the results found with nmap. Sometimes amap can fingerprint applications that could not be identified with nmap.
We have already seen, that the key behind the identification of applications lies in the fingerprint database. So it is time to have an short look on how to maintain and update that database.
To fingerprint an application nmap is doing the following steps:
So first of all locate that database on our computer system (the path is /usr/local/share/nmap, /usr/share/nmap or /opt/share/nmap depending on how you installed nmap). The interesting file is called nmap-service-probes. If you found that file, open it with your favorite text browser (more or less :-) ).
Looking into nmap-service-probes, you will notice that there are repeating blocks of three lines.
The best method to find your own probes is to listen (sniff) on the TCP/IP communication between a valid client and the remote application. For the workshop I created a new probe for the Oracle Listener. I used tnscmd.pl as client (we will have a look on tnscmd.pl in the next section) and ngrep to sniff the communication between Listener and tnscmd.pl.
To get some useful information form the remote listener I used the TNS command VERSION. And that is the probe for the nmap database:
##############################NEXT PROBE##############################
Probe TCP oracle-tns q|\0\x5A\0\0\x01\0\0\0\x01\x36\x01\x2C\0\0\x08\0\x7F\xFF\x7F\x08\0\0\0
\x01\0\x20\0\x3A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x34\xE6\0\0\0\x01\0\0\0\0\0\0\0\0\x28\x43
\x4F\x4E\x4E\x45\x43\x54\x5F\x44\x41\x54\x41\x3D\x28\x43\x4F\x4D\x4D\x41\x4E\x44\x3D\x76\x65
\x72\x73\x69\x6F\x6E\x29\x29|
ports 1024-3000
match oracle-tns m/TNSLSNR for (.{2,15}): Version (\d\.\d\.\d\.\d\.\d) - Production/
v/Oracle DB Listener/$2 (for $1)//
##############################NEXT PROBE##############################
If you copy that sequence into your nmap-service-probes file, please make sure that the probe is stored in one long line. I inserted some s to make it more readable. You can also download the probe as a file.
And that's the output form nmap using the new probe:
[frank@w0001 frank]$ nmap -p1521,1522 -sV 192.168.74.10
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-05 15:42 CET
Interesting ports on s0002.berger.com (192.168.74.10):
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle DB Listener 9.0.1.4.0 (for Linux)
1522/tcp open oracle-tns Oracle DB Listener 9.2.0.3.0 (for Linux)
Nmap run completed -- 1 IP address (1 host up) scanned in 5.360 seconds
[frank@w0001 frank]$
More in-depth information about writing your own probes and matches can be found at the documentation page [NVS] for that feature.
tnscmd.pl [tnscmd] is a small perl script which makes it possible to communicate with the remote Oracle Listener via TNS commands. To give you an impression of that power have a look to the following lines:
[frank@w0001 frank]$ perl tnscmd.pl status --indent -h 192.168.74.10 -p 1522
sending (CONNECT_DATA=(COMMAND=status)) to 192.168.74.10:1522
writing 89 bytes
reading
. .......6.........n. ...........x........
DESCRIPTION=
TMP=
VSNNUM=153092864
ERR=0
ALIAS=LISTENER_STOREDB
SECURITY=OFF !!!(pls pls hack me)!!!
VERSION=TNSLSNR for Linux: Version 9.2.0.3.0 - Production
START_DATE=04-NOV-2003 23:52:39
SIDNUM=1
LOGFILE=/opt/oracle/ocs904_storedb/network/log/listener_storedb.log
PRMFILE=/opt/oracle/ocs904_storedb/network/admin/listener.ora
TRACING=off
UPTIME=5735006
SNMP=OFF
PID=3695
.Z........
ENDPOINT=
HANDLER=
HANDLER_MAXLOAD=0
HANDLER_LOAD=0
ESTABLISHED=0
REFUSED=0
HANDLER_ID=CB53F399FA34-DE03-E030-A8C00A4A0E6F
PRE=any
SESSION=NS
DESCRIPTION=
ADDRESS=
PROTOCOL=ipc
KEY=EXTPROC_STOREDB
,,
ENDPOINT=
HANDLER=
HANDLER_MAXLOAD=0
HANDLER_LOAD=0
ESTABLISHED=0
REFUSED=0
HANDLER_ID=CB53F399FA35-DE03-E030-A8C00A4A0E6F
PRE=any
SESSION=NS
DESCRIPTION=
ADDRESS=
PROTOCOL=tcp
HOST=s0002.berger.com
PORT=1522
,,
ENDPOINT=
HANDLER=
STA=ready
HANDLER_MAXLOAD=0
HANDLER_LOAD=0
ESTABLISHED=0
REFUSED=0
HANDLER_ID=CB53F399FA7D-DE03-E030-A8C00A4A0E6F
PRE=FTP
SESSION=RAW
DESCRIPTION=
ADDRESS=
PROTOCOL=tcp
HOST=s0002.berger.com
PORT=2100
Presentation=FTP
Session=RAW
,,
SERVICE=
SERVICE_NAME=PLSExtProc
INSTANCE=
INSTANCE_NAME=PLSExtProc
NUM=1
INSTANCE_STATUS=UNKNOWN
NUMREL=1
,,
SERVICE=
SERVICE_NAME=storedb.s0002.berger.com
INSTANCE=
INSTANCE_NAME=storedb
NUM=1
INSTANCE_STATUS=UNKNOWN
NUMREL=1
INSTANCE=
INSTANCE_NAME=storedb
NUM=2
NUMREL=1
,,
SERVICE=
SERVICE_NAME=storedbXDB.s0002.berger.com
INSTANCE=
INSTANCE_NAME=storedb
NUM=2
NUMREL=1
,,.........@
[frank@w0001 frank]$
Please note that we need no passwords to get that information! We just need to ask for it, using TNS command STATUS. See also the bold line in the output SECURITY=OFF, it simple states that you do not need to provide a password to shutdown the Listener (TNS command STOP or change the configuration (makes it possible to modify the $HOME/.rhosts from user oracle :-) ).
To learn more about tnscmd.pl have a look to the documentation [TCD] prepared by the author.