As I continue to hack on drones, robocars, autonomous vacuum cleaners, and connected light bulbs, I constantly find myself revisiting the same network scanning cookbook. Inevitably, I am required to SSH, netcat, POST, or do something else entirely to some IoT device, but I never can quite remember the steps to do so, leaving me to constantly reinvent the process. This blog post is quick attempt to turn this exercise in data plumbing into a joyful recipe for all to follow.
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds mxb@grey $ ping 10.78.10.1 AT THIS STAGE ping HANGS. SYS DO NOT RESPOND. Nmap version is the same as above. Installed via brew. mxb@grey $ nmap -version Nmap version 7.91 ( Platform: x8664-apple-darwin19.6.0. To install nmap (non-gui): brew install nmap Go head and try out one of the above examples to make sure homebrew is working. If you want to find the homebrew for an application, you can search the homebrew website here: https://formulae.brew.sh/. % brew doctor Warning: You have unlinked kegs in your Cellar Leaving kegs unlinked can lead to build-trouble and cause brews that depend on those kegs to fail to run properly once built. Run `brew link` on these: nmap. Nmap installed via: Linux: apt install nmap; MacOS: brew install nmap; Windows installer. You may need to add to Windows user PATH: C: Program Files (x86) Nmap; Procedure. Connect the new Ubiquiti AP to your network, using the PoE injector if needed. Find the IP address of the new Unifi AP.
First step is always to run
ifconfig
from the terminal. This will display a list of all of the ports from which your computer can access the outside world and their associated IP addresses. Typically, you will use your WiFi card, en0 on a Macbook, but you can also connect to IoT devices via USB or ethernet for debugging. If you are connecting to the network over WiFi, save the inet address from en0. In my case, my router assigned me 10.0.0.10.
Next, let’s install a tool called nmap. This is a command line network mapping tool that is absolutely loaded with features and extremely helpful for configuring IoT devices. The nmap website recommends several installation methods, but Homebrew is easiest. If you don’t have Homebrew installed, take a look at the instructions here. Otherwise, type
brew install nmap
into the terminal. You may need to install the Xcode CLI if you haven’t already because nmap compiles on your machine. To get a taste of what nmap does, type
nmap –help
and witness the unfurling of pages of complex documentation. For our purposes, we just need to identify IoT devices on our network. Type
sudo nmap -sn 10.0.0.10/24
where the IP address is the one from which you accessed the network. The /24 is telling nmap to scan all 256 IP addresses across the 10.0.0 prefix, 10.0.0.0-10.0.0.25. The same thing can also be accomplished with an asterisk, as in 10.0.0.*. On my network, nmap returned the list below.
Daniels-MacBook-Pro-3:~ dMcK$ sudo nmap -sn 10.0.0.10/24
Starting Nmap 6.47 ( http://nmap.org ) at 2017-04-17 22:06 PDT
Nmap scan report for 10.0.0.1
Host is up (0.067s latency).
MAC Address: 58:23:8C:6C:6A:79 (Technicolor CH USA)
Nmap scan report for 10.0.0.2
Host is up (0.065s latency).
MAC Address: 58:23:8C:6C:6A:7B (Technicolor CH USA)
Nmap scan report for 10.0.0.5
Host is up (0.16s latency).
MAC Address: B8:27:EB:31:B3:F9 (Raspberry Pi Foundation)
Nmap scan report for 10.0.0.7
Host is up (0.16s latency).
MAC Address: 54:60:09:37:25:DA (Unknown)
Nmap scan report for 10.0.0.14
Host is up (0.092s latency).
MAC Address: 1A:A6:F7:C5:40:3E (Unknown)
Nmap scan report for 10.0.0.17
Host is up (0.065s latency).
MAC Address: 00:CD:FE:B1:31:B5 (Unknown)
Nmap scan report for 10.0.0.26
Host is up (1.3s latency).
MAC Address: 1A:A6:F7:28:E8:A2 (Unknown)
Nmap scan report for 10.0.0.27
Host is up (0.10s latency).
MAC Address: 00:17:88:25:50:D1 (Philips Lighting BV)
Nmap scan report for 10.0.0.10
Host is up.
Nmap done: 256 IP addresses (9 hosts up) scanned in 13.00 seconds
You can see how I easily can pick out some of my interesting devices and I now know their IP addresses. From here, I am free to ssh in (see the cute RetroPi ssh message below), make a request, or otherwise interact with any of the devices over the network. If you have a very large list of devices on the network, you can use a pipe (|) followed by grep and the search term of interest to display only those devices. For example,
sudo nmap -sn 10.0.0.* | grep Raspberry
displays only the RasPi computers on the network.
The -sn option returns a quick scan. nmap rips through the IP addresses and records which ones respond. This generates a quick list of devices on the network but does not provide any more additional details. Running -sU as an option provides specific details, including ports, of the UDP connections and -sT returns the same for TCP.
You can have even more fun with the -A flag, which will return all kinds of information about the device. Running this against my RetroPi, I learn that the device is running Linux 3.X kernel and Debian Samba 4.2.10, is named RetroPi, a is a general purpose device. Applying the same to the Phillipps Hue bridge lets me know that I can make HTTP requests over TCP on port 80, which is exactly how we controlled the lights in my previous blog post.
Try this command with all of your IoT toys and see what you get back! Take note, however, that the -A scan takes a few minutes per device, so it may be a while before nmap returns details for everything on your network.
Also interesting is to ping public websites. Try
sudo nmap -A ddmckinnon.com
and you’ll learn that I host on Bluehost, run WordPress on Linux servers, and that it takes around 17 hops to get from your house to the Bluehost server sitting in a data center somewhere. You can see my serpentine route below.
With this little tutorial, we’ve just begun to scratch the surface of nmap and IoT. Up next, I’ll explore how to use this tool beyond the safe confines of your own local network and how to connect with devices out there in the wild world of the internet.
Java
Download the latest Java JDK 8 from Oracle. This should set all the proper shortcuts for the Java binaries http://www.oracle.com/technetwork/java/javase/downloads/index.html
Test that Java is properly installed by running
It should return the version of Java you just installed. To check tha the location is /usr/bin/java for the link run:
If both commands runs and the location is correct Java is properly installed on the system.
Install Homebrew
We need to make sure that the binaries we install with homebrew are first in the path:
Install Nmap
For Nmap in the case of OSX I recommend the use of Homebrew since they are quite quick and keeping their formulas updated for the tool and work out most of the problems that may arise quite quickly. To install Nmap just run the command bellow:
Install Ruby 2.1
On OS X we have 3 methods for installing ruby 2.1.x these are:
- Homebrew
- RVM (Ruby Version Manager)
- rbenv
Installing Ruby using Homebrew:
Check that yo are running the version of ruby you just installed with:
If installing using RVM be warned that symlinks will not work do to the way it places the binary stubs of the metasploit-framework gem
Installing Ruby using RVM:
Installing Ruby using rbenv:
Brew Map
Once the packages have been install we need to install the required Ruby libraries that metasploit depends on:
Install PostgreSQL
Configure PostgreSQL
Init the Database if this is a first time install:
Configure Postgres to automatically load on login, the instruction bellow are as an example copy and paste the commands that the brew installer showed and follow any other instruction it shows :
PostgreSQL will now start every time a user logs in. Create user called msf for use in Metasploit:
Create database for use with metasploit called msf and make the user msf the owner:
Brew Install Nmap Location
Record the password used for the account created since it will be used when configuring the framework.
Installing Metasploit Framework
For regular use of the framework only needs to clone the Git repository and create the necessary links and set the variable for the database config file
Create Symlink Copy for Regular Use
WARNING: Currently there is a bug in Metasploit Framework with Symlinks and RVM: https://github.com/rapid7/metasploit-framework/issues/4602
From the Metasploit-Framework folder lets use the Bundler Gem to install the properly supportted Gem versions:
Before starting to use the framework we need to create the database config file and set the parameters:
Enter the following text in to the file keeping the spacing and using the values used for creating the user and database:
To load the variable for the database configuration file for the current user:
Execute Metasploit msfconsole for the first time so it initializes the schema for the database for the first time as your current user and not as root:
Metasploit for Development and Contribution
If you wish to develop and contribute to the product you can follow the additional steps here Metasploit Dev Environment . For this you will need a GitHub account and you will fork the project in to your own account. I personally keep my dev copy of Metasploit in ~/Development folder and after an initial run of msfconsole I keep my database.yml file in ~/.msf4/cofig folder and adjust the MSF_DATABASE_CONFIG variable for it or run msfconsole with the -y option and point it to a YAML file with the correct configuration.
Install Armitage
Since armitage is no longer included with Framework we need to execute some additional steps:
Link Scripts
One important thing to take into consideration, for using Armitage and many of the modules provided in Metasploit you need to run them as root. Due to the way variables are handled when using the sudo command to invoke msfconsole or Armitage you need to give it the -E option: