I installed nmap's latest SoC (Summer of Code) v6 release yesterday. Lots of new features and functionality especially Umit, the new GUI and NSE, the nmap scripting engine. http://insecure.org/nmap/man/man-nse.html
I was really curious about the ability to script nmap to perform different types of scans, vulnerability detection, version detection, etc...
One of scripts that comes with nmap was of particular interest to me. ircServerInfo.nse. I've been spending a lot of time playing "whack-a-bot", my version of "whack-a-mole" and it's annoying to have to track and confirm that the box is connecting to a Command & Control Server, so a quick and possibly automated way to do some basic checks of the remote IP would save me a lot of grunt work. While botnets are getting more and more advanced and are using different protocols, peer to peer, fast flux DNS and HTTP to remain up there are still a huge number of botnets that rely on good 'ol IRC. I'll cover fast flux dns botnets in an upcoming post. Very interesting stuff all of which is making these botnets more and more resilient to takedown.
Often I'll want details from the server itself while building information on the botnet so I can either send it to the server/desktop group in charge of that box or just keep it for my records and research.
One warning before running this against random IRC C&C servers. The script gets information from IRC servers by issuing STATS, LUSERS, etc queries, so it is actively connecting to the servers. It also let's the server operator know that you were there. :)
sd:send("USER nmap +iw nmap :Nmap Wuz Here\nNICK " .. curr_nick .. "\n") <--Snippet of code from the script. Now having been testing this script with various IRC servers, I have noticed that the results are somewhat varied.
C:\tools\nmap>nmap -sC --script=ircServerInfo.nse 140.211.xxx.xxx
Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-29 20:31 Eastern Daylight Time
Interesting ports on xxxxxxx.freenode.net (140.211.xxx.xxx):
Not shown: 1694 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp closed http
113/tcp closed auth
443/tcp closed https
6666/tcp open irc-serv
6667/tcp open irc
| IRC Server Info: Server: xxxxx.freenode.net
| Version: hyperion-1.0.2b(382). xxxxx.freenode.net
| Lservers/Lusers: 0/2882
| Uptime: 48 days, 21:40:26
| Source host:xxxxxxxxxx.com
|_ Source ident: OK n=nmap
7000/tcp open afs3-fileserver
7070/tcp open realserver
8000/tcp open http-alt
As you can see it returns some very interesting and valuable information. I could have specified the particular port that the server was running on to exclude the additional information.
Let's have a look at another one:
C:\tools\nmap>nmap -sC --script=ircServerInfo.nse xxxx.undernet.org
Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-30 09:52 Eastern Daylight Time
Interesting ports on xxx.xxxxxxx.com (69.16.xxx.xxx):
Not shown: 1701 filtered ports
PORT STATE SERVICE
5555/tcp open freeciv
6666/tcp open irc-serv
6667/tcp open irc
| IRC Server Info: Server: xxxx.undernet.org
| Servers/Ops/Chans/Users: 28/77/34161/112880 <-- A lot of "users" pwnt!
|_ Lservers/Lusers: 1/11690
7000/tcp open afs3-fileserver
Depending on the server the amount of information varies.
My next test on a server running on a different port seemed to fail and returned no data from the server at all.
C:\tools\nmap>nmap -sC --script=ircServerInfo.nse 85.248.xxx.xxx -p80
Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-30 10:09 Eastern Daylight Time
Interesting ports on 85.248.115.244:
PORT STATE SERVICE
80/tcp open http
Odd, I know that there is an IRC server listening on TCP/80. Let's see what nmap's service detection tells me:
PORT STATE SERVICE VERSION
80/tcp open irc Unreal ircd
Service Info: Host: irc.foonet.com <-- See! Let's try something else:
C:\tools\wget>WGET 85.248.xxx.xxx
--23:10:19-- http://85.248.xxx.xxx/
=> `index.html'
Connecting to 85.248.115.244:80... connected.
HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
Length: unspecified
[ <=>] 440 52.00B/s
23:10:55 (12.60 B/s) - `index.html' saved [440]
Interesting result that. Lets see what the index.html contains:
xxx.foonet.com NOTICE AUTH :*** Looking up your hostname...
xxx.foonet.com NOTICE AUTH :*** Found your hostname
xxx.foonet.com 451 GET :You have not registered
xxx.foonet.com 451 User-Agent: :You have not registered
xxx.foonet.com 451 Accept: :You have not registered
xxx.foonet.com 451 Host: :You have not registered
xxx.foonet.com 451 Connection: :You have not registered
So it definitely is an IRC server. Why did the nmap scan not return that information to me? Let's take another quick look at the script.
portrule = shortport.port_or_service(6667, "irc") <-- that might explain it.
It appears that it is only checking the standard IRC port of tcp/6667. That's no good. I guess the options would be to modify the script to use the -p option for input or, as a quick test, to change the port and service. Let's try that.
Interesting ports on 85.248.xxx.xxx:
PORT STATE SERVICE
80/tcp open httP
Still no luck! Well this is going to take some more looking into. Annoying to say the least. It might be that it's checking for certain headers, referrers, etc... Or it might be a irc daemon that is not supported by the script but according to the author's post on nmap-dev it currently supports ratbox, ircnet, bahamut and unreal. I'm a little short on time at the moment but I will see if I can come up with an answer to this.
So, while it is not perfect the script has a lot of value. I highly recommend looking in the ../scripts directory at all the current scripts. There are about 30 or so.
Cheers,
Dean