Bugcon is one of the most popular security conferences in México. I will be attending for the first time this year and I'm very excited. I've heard good things about it and I'm looking forward meeting with some of the infosec folks here in México.
If you are in Mexico city on Feb 2th and 3rd, don't miss out this great event!
Bugcon official website: http://www.bugcon.org/main/
Bugcon schedule: http://www.bugcon.org/main/schedule
A few months ago I submitted an article to Pentest Magazine called "Gathering web server information with Nmap NSE".
HTTP response analysis with Nmap
Widely used protocols are always at the mercy of the
developers implementing it and HTTP is no exception.
Specially crafted requests make web servers behave in
its own way and this allow us to do some nifty tricks to
Android users> The Android port also got updated.
And this is why it is always a good idea to keep around several options:
Lately I've noticed a lot of hosts jumping into Cloudflare's service and I don't blame them, I've tried it and loved it, but what happens when you scan one of these hosts?
# nmap -sV -sS -F <target> Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-03 00:15 PDT Nmap scan report for <target> (<target's ip>) Host is up (0.0069s latency). Other addresses for <target> (not scanned): <another ip> rDNS record for <target's ip>: <host>.cloudflare.com Not shown: 98 filtered ports PORT STATE SERVICE VERSION 80/tcp open http? 443/tcp closed https 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
[FINGERPRINT POSTED IN PASTEBIN FOR CLARITY:
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.17 seconds
Not much information there. From the fingerprint we can see that Cloudflare actually blocked and sent us to the challenge page where we failed miserably.
Let's use dns-brute to check if the system administrator left Cloudflare's default dns name "direct" pointing to his real IP address.
# nmap --script dns-brute -sn <target> Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-03 00:32 PDT Nmap scan report for <target> (<ipA>) Host is up (0.0069s latency). Other addresses for <target> (not scanned): <ipB> Host script results: | dns-brute: | DNS Brute-force hostnames | www.<target> - <ipA> | www.<target> - <ipB> | direct.<target> - XXX.XXX.XXX.XXX Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
It seems like he did. The hostname direct.<target> points to the real IP address. Usually you will see other dns entries like 'mail' or 'ftp' pointing to the same ip, a good indicator this is the IP we want. Lets scan this IP to see what services are running.
Nmap scan report for Host is up (0.030s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.1 22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0) 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.6-ESV-R4 80/tcp open http nginx 0.7.67 110/tcp open pop3 Dovecot pop3d 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 143/tcp open imap Dovecot imapd 2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)