NMAP Open Service Scan – Open resolver test

Open resolvers

From the CERT.be website : Open DNS resolvers are frequently being abused to conduct efficient DDoS attacks towards websites, infrastructure and services..

You can detect open resolvers on your network with a vulnerability information management tool (for example Qualys), via the Open Resolver Project or manually with an nmap command.

nmap -sU -sV -p 53 --script 'dns-recursion' 127.0.0.1

Keeping track of the different output files becomes more difficult if you have to do this often. I wrote a script that imports the nmap xml file into a sqlite database. You can then query that database and keep track of the history.

NOSS, NMAP Open Service Scan

NOSS can launch an nmap scan for you, it can store the results in a database and it can provide reports, with history. NOSS allows you to scan for open resolvers but it can also scan for SNMP servers (udp/161) and web servers (tcp/80).

The script is written in Python because I wanted to train my skills in Python scripting.

You’ll need root or sudo privileges to launch a scan. Alternatively you can do the scan manually and import the xml file.

************************************
NMAP Open Service Scan 0.1
************************************

usage: parser [-h] [-d DATABASE]
              {stats,scan,init,clean,report,import,empty} ...

Scan and report the open resolvers (or any other network service) in your
network.

optional arguments:
  -h, --help            show this help message and exit
  -d DATABASE, --database DATABASE
                        Database to use (default: noss.db)

Command switches:
  NOSS has a couple of command switches that tell it what you want it to do

  {stats,scan,init,clean,report,import,empty}
    import              Import data from external sources (NMAP)
    scan                Launch a scan (NMAP)
    report              Build different reports
    stats               Return statistics on the content of the database
    clean               Clean the database
    init                Initialize the database
    empty               Empty the database

Download

GithubLogo
The code is on https://github.com/cudeso/tools/tree/master/noss.

Initialize

Before you can use noss you need to initialize the database with init. The init command needs the sql structure file noss.sql.

./noss.py init 
Initialized the database noss.db, based on the SQL script noss.sql

Statistics

You can verify that the database was successfully created with the stats command.

./noss.py stats
Global statistics :
 Records in hosts table : 0
 Records in ports table : 0
 Unique IPs : 0
 Maximum session ID : 0

Launch a scan

You can launch a scan from inside noss. It needs nmap and most probably root or sudo rights.

usage: parser scan [-h] [-sd] [-sn] [-sh] [-t SCAN_TARGET] [-o OUTPUT_FILE]

optional arguments:
  -h, --help            show this help message and exit
  -sd, --scan-dns       Scan for open DNS resolvers
  -sn, --scan-snmp      Scan for SNMP servers'
  -sh, --scan-http      Scan for HTTP servers
  -t SCAN_TARGET, --scan-target SCAN_TARGET
                        Target to scan
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        The NMAP export base filename

You can start three different types of scan

  • -sd : scan for open DNS resolvers;
  • -sn : scan for SNMP servers;
  • -sh : scan for HTTP servers.

You need to provide at least one scan type option.

You can specify a target with -t or –scan-target. If you do not specify a target it will use 127.0.0.1. You can also provide a filename for the output files (xml, nmap and gnmap) with -o or –output-file. The filename defaults to noss.xml

The nmap command will then be printed and nmap will be launched.

sudo ./noss.py scan -sd -sn -t 127.0.0.1
[sudo]Launch a scan (you will need 'root' or 'sudo' privileges)
 - dns-recursion
 - snmp-sysdescr
 towards :  127.0.0.1
 nmap -sU -sS -sV -oA  noss  -p  53,161    --script 'dns-recursion'  --script 'snmp-sysdescr'   127.0.0.1

When the scan finishes, noss prints the nmap debug information.

Import a file

Once a scan is finished you will need to import it.

usage: parser import [-h] [-n NMAP_XML]

optional arguments:
  -h, --help            show this help message and exit
  -n NMAP_XML, --nmap-xml NMAP_XML
                        The NMAP XML import file

By default it will use noss.xml as import filename but you can provide with -n or –nmap-xml an alternative filename

./noss.py import --nmap-xml noss.xml 
Import : processing XML file noss.xml
Finished processing XML file noss.xml

Statistics for the last session :
 Records in hosts table : 1
 Records in ports table : 3
 Unique IPs : 1
 Maximum session ID : 1

Empty the database

You can also empty the database. You can not undo this command.

./noss.py empty

Empty database : OK

Clean the database

Every new import of a file is a new session. You can clean older sessions with the clean command.

./noss.py clean -h

usage: parser clean [-h] [-c [CLEANUPS]]

optional arguments:
  -h, --help            show this help message and exit
  -c [CLEANUPS], --cleanups [CLEANUPS]
                        Remove the older session data

If no value for -c or –cleanups is given then noss will keep 5 sessions.

Reporting

The most interesting part is getting the reports displayed. You can do this with the report command.

./noss.py report -h
usage: parser report [-h] [-s] [-l] [-L] [-D] [-S [SESSIONS_DETAIL]] [-rh]
                     [-rd] [-ra] [-rs REPORT_SESSION] [-rq] [-rc]

optional arguments:
  -h, --help            show this help message and exit
  -s, --sessions        Return the number of sessions
  -l, --sessions-list   List the sessions
  -L, --sessions-list-detail
                        List the sessions, with script-id
  -D, --sessions-dump   Print all the sessions
  -S [SESSIONS_DETAIL], --sessions-detail [SESSIONS_DETAIL]
                        Dump raw details of a session
  -rh, --report-history
                        Include the history in a report
  -rd, --report-dns     Report on open DNS resolvers
  -ra, --report-all     Report on all ports
  -rs REPORT_SESSION, --report-session REPORT_SESSION
                        Report on this session
  -rq, --report-quick   Quick report (hostname + timestamp)
  -rc, --report-csv     Report with data in CSV format

If you do not provide an option to the report command you’ll get a list of the open resolvers found in the last import.

./noss.py report
Report generation for : domain 53/udp 
 Session : 1
 Script dns-recursion , verifying for output Recursion appears to be enabled

-------------------------------------
 2013-12-27 18:45:17 127.0.0.1 (localhost) 53/udp 	 Recursion appears to be enabled 	 ISC BIND 	 9.7.0-P1

You can use -rq or -report-quick for a quick (or short) report or get a report in CSV format with -rc or –report-csv. You can cut and paste the CSV part into another file.

./noss.py report -rq
-------------------------------------
2013-12-27 18:45:17 	127.0.0.1
./noss.py report -rc
-------------------------------------
2013-12-27 18:45:17,127.0.0.1,localhost,53,udp,Recursion appears to be enabled,ISC BIND,9.7.0-P1

With -ra or –report-all you get a list of all the ports found.

./noss.py report -ra

By default noss will return the data for the last session. You can select a previous session with -rs or –report-session.

./noss.py report -rs 3

With the -s or –sessions you get the number of sessions.

./noss.py report -s

You can list the sessions with -l or sessions-list, and the scripts used with -L or –sessions-list-detail.

./noss.py report -l
List the sessions
 Session 1 : 2013-12-27 18:45:17
 Session 2 : 2013-12-27 18:59:26
./noss.py report -L
List the sessions (detailed view)
 Session 1 : 2013-12-27 18:45:17
   1x <no script provided> 
   1x dns-recursion 
   1x snmp-sysdescr 
 Session 2 : 2013-12-27 18:59:26
   1x <no script provided> 
   1x dns-recursion 
   1x snmp-sysdescr

You can also dump the content of the sessions with -D or –sessions-dump.

./noss.py report -D

With -S or –sessions-detail you can dump most of the details of one session.

./noss.py report -S 4

Get started

./noss.py init
Initialized the database noss.db, based on the SQL script noss.sql

sudo ./noss.py scan -sd -sn -t 127.0.0.1
Launch a scan (you will need 'root' or 'sudo' privileges)
 - dns-recursion
 - snmp-sysdescr
 towards :  127.0.0.1

./noss.py import --nmap-xml noss.xml 
Import : processing XML file noss.xml
Finished processing XML file noss.xml

Statistics for the last session :
 Records in hosts table : 1
 Records in ports table : 3
 Unique IPs : 1
 Maximum session ID : 1

sudo ./noss.py scan -sd -sn -t 127.0.0.1
Launch a scan (you will need 'root' or 'sudo' privileges)
 - dns-recursion
 - snmp-sysdescr
 towards :  127.0.0.1

./noss.py import --nmap-xml noss.xml 
Import : processing XML file noss.xml
Finished processing XML file noss.xml

Statistics for the last session :
 Records in hosts table : 1
 Records in ports table : 3
 Unique IPs : 1
 Maximum session ID : 2

./noss.py report -rh
 Report generation for : domain 53/udp 
  Session : 2
  Script dns-recursion , verifying for output Recursion appears to be enabled

 -------------------------------------
  2013-12-28 00:10:53 127.0.0.1 (localhost) 53/udp 	 Recursion appears to be enabled 	 ISC BIND 	 9.7.0-P1
    \_ Also on 2013-12-28 00:10:17 - 127.0.0.1 (localhost) 53/udp 	 ISC BIND 	 9.7.0-P1

Speed

The scan speed is dependent on your machine and connection speed. You can speed up the scanning process by changing the timing (-T) in the nmap command (function startScan).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.