Book Review: Kali Linux Network Scanning Cookbook

Everything you ever wanted to know about scanning (and then some)!

Kali Linux Network Scanning

Security Guru and trainer Justin Hutchens has recently released an exceptional book on network scanning with Kali Linux. The book starts out with the very basics of network scanning and progresses through stages to more advanced scans and even exploitation.

All the basics are present, like using Nmap, ARPing, Scapy and other tools to perform varied levels of discovery, port scanning and fingerprinting.  You are then masterfully shown how to greatly expand the capabilities and functions of these tools by using scripting.

But it doesn’t stop there, you then move on to using scanning tools and Burp Suite to perform Denial of Service attacks, SQL injection and Metasploit attacks. Because really what is a scanning book without including offensive attacks?  🙂

The book is easy to read and follow using step-by-step instructions and screen views. It is setup in sections (called “Recipes”) so that if you want to know how to perform Layer 4 discovery using Scapy or DoS attacks with Nmap, you just go directly to that particular section.

I have worked with Justin on a couple projects and he is one of the most talented security teachers and authors that I have ever met. He covers material in this book that I have never seen covered anywhere else. If you have any interest in network scanning or want to learn a lot more about it, get this book!

Available at Packt Publishing and Amazon.com.

*** UPDATE *** Original print quality issues have been rectified according to the publisher.

SSDP Scanning for UPnP Vulnerabilities

One day I was monitoring a system for network traffic and noticed that an SSDP service was communicating out from the machine to the IP4 and IPv6 broadcast ranges. Kind of odd, as the machine was firewalled and should not have been communicating with anything at that individual time.

So what was it?

SSDP (Simple Service Discovery Protocol) is a protocol that advertises and looks for network services. On Windows systems, SSDP service controls communication for the Universal Plug and Play feature (uPnP).

Well uPnP has not been without it’s issues and earlier this year HD Moore of Rapid7 created a utility that would both scan for SSDP communication and notify you if the system was vulnerable to uPnP exploits.

What is interesting about the “UPnP SSDP M-SEARCH Information Discovery” tool is that it not only tells you if the machine is vulnerable to uPnP exploits, but also returns interesting information about  the machine.

So if the system isn’t vulnerable, chances are that you will at least be able to tell that:

  • It is up and running
  • The service that is running
  • And a valid user name!

The search tool is already included in Metasploit. So all you need to do is run it and feed it a network range:

SSDP search

Then type “run” or “exploit” and it will scan the network range looking systems advertising uPnP services:

SSDP search results 1

Okay, it found one. It doesn’t appear to be vulnerable, if it were the uPnP vulnerabilities would be listed with the return.

But if you notice there is an html link. In this case, if we click the link, we are presented with a bunch of information that includes the machine name and a valid user name!

User results

As you can see from the scan results above, the Media Server was running on this machine, and a valid PC name and username is listed (blocked out to protect the innocent).

For security departments, running this utility against your company will quickly show any services that are being openly broadcasted on your net. If these services are reachable from the internet (over 40 million are!) then you have some serious configuration issues that need to be addressed.