Sunday, March 19, 2017

A Simple Python 3 Script for my Favorite nmap Scripts

There are a few nmap scripts I use all the time. I can't always remember the syntax so I wrote a simple Python 3 script to list them.

If an IP address is required you are prompted to enter one. You can put in any valid IP address or address range in nmap format. There is no error checking so if you put in an invalid address you will get an invalid script output.

If an SNMP community string is required you will be prompted to enter it. Again, there is no error checking so enter carefully.

Example Usage

Trouble shooting NTP on Cisco devices can be time consuming. The first step I take is to run the nmap script for ntp info. It quickly tells me if the ip address I'm pointing "ntp server" to is actually serving up NTP.

mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ python3 nmap3.py

0 Download Cisco Configs using SNMP
1 Checking Server Cipher Suites using ports 443, 465, 993 and 995
2 Display SSH fingerprint (Host Keys)
3 Troubleshooting DHCP with the NMAP Broadcast-DHCP-Discover script
4 Troubleshooting DHCP with the NMAP DHCP-Discover script
5 Troubleshooting IPv6 DHCP with a broadcast discover
6 Brute Forcing SNMP with NMAP - Requires a text file of guesses in c: ftp-root\snmp-string.txt
7 BACNET - scripts from https://github.com/digitalbond/Redpoint#enip-enumeratense
8 DNS Broadcast Discover
9 Banner Grab using banner-plus from HD Moore
10 NTP Monlist - Pull down NTP server information
11 NTP INFO - Pull down general NTP information
12 DNS Brute - Uses nselib/data/dns-srv-names for list of SRV records to try, nselib/data/vhosts-full.lst for hosts
13 SMB - Various scripts for SMB servers
14 SNMP on Windows
15 Basic Script Scan the -vv option includes more detail
16 SQL nmap --script smb-os-discovery.nse -p445 192.168.10.221
17 - Check for SSH V1


3.4.3 (default, Nov 17 2016, 01:08:31)
[GCC 4.8.4]


Input a number to select 11
Enter the IP Address 192.168.10.221
nmap -sU -p 123 --script ntp-info 192.168.10.221
mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ sudo nmap -sU -p 123 --script ntp-info 192.168.10.221

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-19 18:23 PDT
Nmap scan report for 192.168.10.221
Host is up (0.0013s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-info:
|_  receive time stamp: 2017-03-20T01:23:57
MAC Address: 00:0C:29:4C:AA:4E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 10.31 seconds

If you don't see a time stamp the server you are using won't work.

Environmental Monitoring Systems

Here is a more involved example. I do a lot of core switch and edge switch replacements. It's important to know if any Environmental Monitoring Systems (EMS) are in place. Choice 7 in the script will return each of the Digital Bond ISC nmap scripts. Luckily most of my customers have a dedicated EMS vlan so I just scan that vlan.

BUT, I have found EMS devices on GUEST networks (oops!) and on user LAN segments so you may need to scan a lot of networks.

Since there are a lot of different EMS vendors the script outputs 11 different nmap scripts.

mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ python3 nmap3.py

0 Download Cisco Configs using SNMP
1 Checking Server Cipher Suites using ports 443, 465, 993 and 995
2 Display SSH fingerprint (Host Keys)
3 Troubleshooting DHCP with the NMAP Broadcast-DHCP-Discover script
4 Troubleshooting DHCP with the NMAP DHCP-Discover script
5 Troubleshooting IPv6 DHCP with a broadcast discover
6 Brute Forcing SNMP with NMAP - Requires a text file of guesses in c: ftp-root\snmp-string.txt
7 BACNET - scripts from https://github.com/digitalbond/Redpoint#enip-enumeratense
8 DNS Broadcast Discover
9 Banner Grab using banner-plus from HD Moore
10 NTP Monlist - Pull down NTP server information
11 NTP INFO - Pull down general NTP information
12 DNS Brute - Uses nselib/data/dns-srv-names for list of SRV records to try, nselib/data/vhosts-full.lst for hosts
13 SMB - Various scripts for SMB servers
14 SNMP on Windows
15 Basic Script Scan the -vv option includes more detail
16 SQL nmap --script smb-os-discovery.nse -p445 192.168.10.221
17 - Check for SSH V1


3.4.3 (default, Nov 17 2016, 01:08:31)
[GCC 4.8.4]


Input a number to select 7
Enter the IP Address 10.23.200.0/24
nmap -sU -p 47808 -n --script bacnet-info.nse 10.23.200.0/24
nmap -sU -p 47808 -n --script BACnet-discover-enumerate 10.23.200.0/24
nmap -sU -p 47808 -n --script BACnet-discover-enumerate --script-args full=yes 10.23.200.0/24
nmap -p 44818 --script enip-enumerate 10.23.200.0/24
nmap -p 1911 --script fox-info 10.23.200.0/24
nmap -p 502 --script modicon-info.nse -sV 10.23.200.0/24
nmap -p 9600 --script omrontcp-info 10.23.200.0/24
nmap -sU -p 9600 --script omronudp-info 10.23.200.0/24
nmap -p 1962 --script pcworx-info -sV 10.23.200.0/24
nmap -p 20547 --script proconos-info -sV 10.23.200.0/24
nmap -p 102 --script s7-enumerate -sV 10.23.200.0/24
sudo nmap -sU -p 47808 -n --script BACnet-discover-enumerate 10.23.200.0/24
sudo nmap -sU -p 47808 -n --script BACnet-discover-enumerate --script-args full=yes 10.23.200.0/24
sudo nmap -p 1911 --script fox-info 10.23.200.0/24
nmap -p 9600 --script omrontcp-info 10.23.200.0/24
sudo nmap -sU -p 9600 --script omronudp-info 10.23.200.0/24
nmap -p 1962 --script pcworx-info -sV 10.23.200.0/24
nmap -p 20547 --script proconos-info -sV 10.23.200.0/24
sudo nmap -p 102 --script s7-enumerate -sV 10.23.200.0/24
sudo nmap -p 44818 --script enip-enumerate 10.23.200.0/24
sudo nmap -p 502 --script modicon-info.nse -sV 10.23.200.0/24
mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$



The Script

You can download the script on github at nmap-python

Monday, March 13, 2017

Southern California Linux Expo Scale 15x


I decided to go big this year, get a hotel and make the most of the Southern California Linux Expo or Scale 15x. This is the fifteenth Scale and the second year that it has been in Pasadena. The conference opened on Thursday March 2nd and ran through Sunday March 5th. Here is the home page for scale 15x if you want to review the show.

The talks are being uploaded to Youtube. It's odd but the title on youtube doesn't have the talk's name in it. You need to know what room the talk was in and what day it was given. I have a link to the daily schedules in the references below.

How did Scale 15x compare to Scale 14x?

Last year I only went on Saturday so I didn't get to do nearly as much. But my impression is that 15 was quite different. Last year the expo floor had several HAM radio and Maker booths along with a few local Linux Users Groups. In addition there were several booths with small projects dedicated to TOR and anonymity on the web. There was definitely a "Snowden" effect going on. HPE purchased 4 booths and had a huge group of products and people talking about them.
The Scale 15x expo floor seemed much more like a typical tech show. The only LUG I saw was the San Gabriel Valley LUG and I didn't see any Maker or Ham booths. But there were a lot more companies showing products. The expo floor was still excellent and well worth my time but it was a different feeling.
I wasn’t able to make the Thursday or Friday talks but I got there in time on Friday to pick up my badge and hit the expo floor. I purchased a System76 Gazelle last summer and love it. I went with the fastest i7 6700 processor, 16GB of RAM and a Samsung Evo 850 SSD. The laptop supports m.2 NVME drives but my wallet didn’t!
System76 was one of the first booths and I got to meet James from tech support and see the new Oryx Pro laptop. As always, I learned something new from James and loved the Oryx. It supports up to 64GB of RAM, two NVME drives and an NVIDIA 1060 or 1070 GPU. The GPU drives a beautiful 4k display. I definitely need to get an Oryx Pro!
I also spent some time at the Libre Office booth. A very nice guy demoed Draw for me. I obviously have Libre Office installed since I’m running Ubuntu but I hadn’t noticed the Draw application. It is well done and after a quick search he found several networking icon packs. I need to spend some time to see what all is available for Draw.
Gentoo had a booth and I spent a lot of time with them. I learned a lot about Gentoo (and Pentoo) that I think will be useful as I continue learning about Linux. Gentoo is a distro that does a minimal install and then you can add the packages you need. Sounds like a great distro for a couple older quad core Core Duo desktops that I have at home.
The big change though was the demographics of the crowd. There were still a lot of old gray beards but there were a lot of high school students. This wasn't just luck, the organizers made a push to get younger people involved.  

Speaking of Getting Involved


I attended Luis Hernandez's talk on “Open Source Role in Cyber Competitions” and it was great. Luis is working hard to get middle and high schools to start security classes. Here is a link to the description of his talk - Open Source Role in Cyber Competitions. The page has a PDF of his slides. If you have any spare time and want to help start a program at a local school please contact Luis.

Capture that Flag!


On Saturday,  the inaugural “Capture the Flag” event for the Cyber Patriot program was held. The first hour of the competition was hardening an Ubuntu system. The next section was based on the Facebook CTF and involved a lot of decrypting of coded messages.

Don't know anything about Linux?

That's no problem! There were full day classes on Saturday and Sunday for beginners. There was an installfest along with the training so you could bring your own older PC and get help installing Linux on it. See the references below for more information.

The Security Track   


Obviously this is the track I followed, who needs to know what Kubernetes is! Both Saturday and Sunday were filled with talks. I even scored a brand new Yubikey 4 at the “Hardening PGP keys with the Yubikey" talk. I have wanted a Yubikey for some time but just hadn’t bought one yet so I was very excited! I can’t wait to get my SSH keys setup and to start using it for 2 factor Authentication. Most of the cloud services that I use support the Yubikey for 2FA. Here is a link to the Security Track page.

Open Source Role in Cyber Competitions

As mentioned above, I sat in on a talk focused on getting IT security training set up in middle and high schools. The instructor, Luis hernandez, was very passionate and successful! He had students from North Hollywood HS that had successfully competed in national competition. Here is the summary from the talk - “The overall purpose is to show how Linux has helped prepare students for sysadmin roles in the real world as this is what they need to do during competition.” If you work in a school or have a desire to volunteer Luis would be the guy to contact!

The Web of Trust

I have had a PGP key pair for quite a while but never attended a key signing party before. Over thirty of us showed up after the expo on Saturday night and after a couple hours we each had verified everyone’s key fingerprint and two forms of ID. Now I have thirty signatures in my web of trust. It was a really cool thing to do and I met a lot of hard core Linux fans.

My HAM radio License

I have wanted to get my FCC HAM radio license for a couple years now but never took the time. I was a 2841 Field Radio Technician in the Corps and have a degree in electronics so I figured the technical part of the exam wouldn’t be too hard but the regulation part always scared me off.
At Scale the exam was being offered on both Saturday and Sunday but I hadn’t realized it so I hadn’t prepared. One of the guys at the Key signing party was member of the test staff. He encouraged me to download the guide from dc408 ham radio guide, study and take the exam on Sunday. It was already after 21:00 and it had been long day but I went back to the hotel and plowed through the guide. I passed the exam on Sunday!!

The Dark Arts of SSH

The last talk I attended was right after I passed my HAM license exam. I got there a bit early and there was a kid in the row ahead of me. He looked to be about 13 and was glued to his phone. I assumed that he was playing a game but it turns out he was studying for the Ham exam! Unfortunately it was too late to take the exam but he was preparing for next year!
This was a pretty good talk. I have been studying from Michael Lucas's great book “SSH Mastery” but I still picked up a few tips. I can't recommend SSH Mastery enough. It's $10 and Michael self publishes it.

What about Next Year?

Scale is a really good event. The ticket is $87.50 and the Howard Johnson hotel was only $125 per night so compared to a VMworld or Cisco Live it's practically free. Next year I hope to be able to take Friday off and go all day. This year I was too tired to go the the Friday after party, next year I'm making it is my goal!

References