Category Archives: Uncategorized

Nmap: Not so -sStealthy after all

Posted on by
Reply

Nmap is one of the most commonly used network enumeration tools used in the cybersecurity landscape.  Through various methods, it allows users to perform host discovery, port scanning, and gain key insights about the devices that are being scanned.  The utility the program offers makes it indispensable from a cybersecurity professional toolkit, but the same could be said for malicious actors as well.  Often, nmap is used by them to find a way into a network, or discover what is inside a network once they’ve gained access.  This fact makes it essential for cybersecurity professionals to understand the nuts and bolts of how nmap scans work, and how to detect them.

The most commonly used nmap scan is a SYN scan.  Denoted by the -sS option flag, this scan is used to identify the status of ports on a machine.  Open ports can act as entry points to a system, so identifying them is a must for both red and blue teamers alike.  An example of this scan can be seen below:

Here, we are performing a SYN scan against scanme.nmap.org to determine which ports it has open.  The way nmap does this is by sending out a SYN packet to each of the top 1000 most commonly used ports on our target device.  If the port is open, closed, or being filtered by something like a firewall, we will get a different response.  The scan above shows that out of 1000 ports, 4 are opened and 1 is being filtered.  To understand just how nmap is able to determine the status of all these ports, we can boot up wireshark and analyse what exactly is happening. 

In this image, we’re using wireshark to filter for activity on port 22 of our target, one of the ports we know is open.   Once our SYN packet of our scan is received by our target on port 22, it sends back a SYN/ACK packet, indicating that they are ready to initiate a TCP connection over this port.  Since the target machine was willing to have a connection be established over this port, nmap understands it to be open.  Once our device receives this, it immediately sends a RST packet back.  This type of scan does not complete the TCP handshake, so once the SYN/ACK is received, nmap has all the information it needs and the connection can be terminated.

Alternatively, if the port is closed, we see a different packet conversation between our machine and the target:

Nmap determined port 23 as closed, so when we change our filter in wireshark to investigate traffic going to port 23 on that device, we can see why.  The initial SYN packet is simply met with a RST/ACK packet from the target, indicating the port is closed.  No further data can be transmitted to that port, since the target device will not accept connections on it.

Understanding how the SYN scan works on a packet level allows us to appreciate why it has come to be known as the stealth scan.  It does not create a full TCP connection with the device’s open port, simply leaving the connection half-open.  By not completing the TCP handshake, the device may not log the scan as there was no connection made.  

However, many modern intrusion detection systems and firewalls are well equipped to detect SYN scans like this, so the stealth scan title isn’t as applicable in modern times.  Even equipped with a packet analysis tool like wireshark, SYN scans can be identified quite easily if you know what to look for.  

This is where our mentality shifts to a blue team mindset, aiming to identify if a scan is taking place against our network or devices.  By delving into the details of the initial SYN packets sent by nmap, we can identify some key pieces of data that help us to identify if someone is performing a basic SYN scan against our devices.  The pieces of data are the window size and the options field, which then in turn impacts the header length of the packet.  All this is highlighted in yellow below:

Compared to regular network traffic that happens between devices, these fields are considerably abnormal.  Try see how they compare to a SYN packet that was sent when I connected to google.com

Observing the two packets side by side really makes the SYN packet from nmap stand out as irregular.  The window size from nmap is considerably tiny compared to a legitimate SYN packet, and the lack of options present in nmap’s SYN packet causes the header length to vary by a significant amount of bytes.  These differences occur due to the fact nmap itself is sending out the SYN packets used in its scan.  It is filling the packet with data itself, which makes it noticeably different from regular traffic.  On the other hand, SYN packets used for regular traffic are created by the operating system, which is why they have different fields and values.

With these differences in mind, we can use this to create a filter in wireshark to catch all the SYN packets sent out by nmap using this scan.  If I was a network administrator and was seeing packets like this being sent out across the network, it would definitely raise the suspicions that someone is scanning the network.  The filter to do so can be seen below, which is solely catching SYN packets sent out by nmap.

However, while this may catch someone running a basic SYN scan, malicious actors are always capable of creating new ways of bypassing detection.  They could use a different scan that flies under the current detection rule, or edit the values in the SYN packet so the header length is different, resulting in bypassing our previously created filtering rule.

While the filtering that we created for these scans may be easy to circumvent, the exercise still allows for a great opportunity to learn how exactly nmap functions below the surface.  In general, understanding how things work from a packet level is a great way to build understanding, and create solid foundations that will serve you well as you continue to explore and investigate new and exciting things in the field.  I encourage everyone with an interest in cybersecurity to play around with tools like nmap and wireshark just like this, as getting down into the nitty gritty of how exactly they work is the perfect way to build up that important knowledge base and avoid being just another script kiddie.

Book Review: The Art of Deception by Kevin Mitnick

Posted on by
Reply

Kevin Mitnick’s ‘The Art of Deception’ is a deep dive into the world of social engineering, far beyond the clumsy phishing attempts filling our inboxes. Before picking up this book, my idea of a social engineer was pretty one-dimensional — malicious actors crafting phishing emails, or even the one rogue actor who might try sneak into a company building in an obvious way. But Mitnick, one of the most infamous hackers of the 1990s, turns that image on its head. He unpacks the many manipulative tactics that social engineers can use to infiltrate their way into organisations, preying on the weakest link of any security operation – the human element.  Even with the most sophisticated tech in our modern technological age, if the people around us don’t remain vigilant, Mitnick tactfully demonstrates just how easily social engineers can break in undetected.

The Art of Deception | Mitnick Security

Delving into Mitnick’s accounts, I came to understand that cybersecurity isn’t just about the secure technologies we use; it’s about the bigger picture of security.  It encompasses both the digital defences and the human elements that play a crucial role in protecting information, with both being of equal importance.  His stories, while some may hinge on outdated tech like telephone switchboards, are timeless in their lessons. They taught me that vigilance is key and that the most innocuous details can be twisted into a tool for deceit. Information that may seem harmless to you, may be the key a social engineer needs to manipulate his way into your organisation.  Throughout the various anecdotes Mitnick provides, it allowed me to become more cautious and critical of the information I give out and whom I trust — a mindset shift that’s sure to stick with me throughout my career going forward now.

Mitnick’s book shines with its detailed breakdown of social engineering tactics, painting a vivid picture from both the perpetrator’s and the victim’s perspectives. Each chapter follows a similar style that presents each social engineering tactic in an engaging way.  Mitnick fills each chapter with multiple vignettes of each ‘con’, exploring its execution from the victim and social engineer’s point of view, before analysing its execution and prevention.  Providing both the perspectives of the social engineer and the victim really cements the realism of each story, which allowed me to really grasp just how easily an attack like this could occur unnoticed.  Each chapter is rich with detail, and Mitnick follows this up by providing a comprehensive list of security policies and measures to combat all the different attacks he explores throughout the book.  Despite being written for a different technological era, this section may provide the best value for many people as Mitnick clearly was extremely thorough in his suite of recommendations. 

While Mitnick’s work is rich in detail, I found that many of the chapters tended to slightly overstay their welcome. The later chapters start to blend into each other, and cutting down on some of the repetition could make the key points stand out more.  Reducing some chapters by even one or two anecdotes would go a long way to streamlining the reading experience whilst making the key points stand out more. The lack of variety in the style of the chapters also slightly hampered my enjoyment as I read through the book, and may cause some reader’s engagement to wane.  Each story within each chapter was still rich with information, but after you finish the first chapter, you soon find out the rest of the book is structured exactly the same.  I would’ve liked to see some more variety in how the information is presented throughout the book, which I believe would have made the readability more enjoyable and less repetitive.

Overall, ‘The Art of Deception’ still holds up in the fast-paced world of cybersecurity as an impressively informative read decades on from its release. Mitnick’s expertise and prior experience allows him to offer a treasure trove of insights into the minds of social engineers, making it an enlightening read for anyone wishing to expand their defensive knowledge. Even with some sections that could use tightening up, the book’s core messages and the learnings it provides are both clear and powerful. I’d recommend it to anyone who wants to up their security game, if you’re willing to look past the dated technology and focus on the key aspects pertaining to the vulnerabilities of the human psychology.  If you can, I know you’ll find it to be a real eye-opener and a guide that could very well save you from becoming another cautionary tale.