Networks Fall 2009.

Slides:

Advertisements

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Advertisements

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.

1 Reading Log Files. 2 Segment Format

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

IP Network Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

System Security Scanning and Discovery Chapter 14.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Computer Security and Penetration Testing

Penetration Testing.

Ana Chanaba Robert Huylo

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

Chapter 6: Packet Filtering

CIS 450 – Network Security Chapter 3 – Information Gathering.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.

Linux Networking and Security

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Footprinting and Scanning

DoS/DDoS attack and defense

Hands-On Ethical Hacking and Network Defense

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified

CITA 352 Chapter 2 TCP/IP Concepts Review. Overview of TCP/IP Protocol –Language used by computers –Transmission Control Protocol/Internet Protocol (TCP/IP)

 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.

General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

1 NETWORKS Lecture Review – Last Lecture Computer Crimes Typical Vulnerabilities Typical Attack Protocols.

Protection (tools).

Port Scanning James Tate II

DDoS Attacks on Financial Institutions Presentation

Footprinting and Scanning

CITA 352 Chapter 5 Port Scanning.

Chapter 9 ICMP.

Domain 4 – Communication and Network Security

Port Scanning (based on nmap tool)

Introduction to Networking

Information Gathering

Module 18 (More Network Discovery)

Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park

Spoofing Basics Presentation developed by A.F.M Bakabillah Cyber Security and Networking Consultant MCSA: Messaging, MCSE RHCE ITIL CEH.

Footprinting and Scanning

Lecture 3: Secure Network Architecture

Networking Theory (part 2)

Internet Control Message Protocol

Test 3 review FTP & Cybersecurity

Computer Networks Protocols

EVAPI - Enumeration Auburn Hacking club

Transport Layer 9/22/2019.

Networking Theory (part 2)

Networking Theory (part 2)

Presentation transcript:

Networks Fall 2009

Computer Crimes Social Engineering Network Scanning Review – Last Lecture Computer Crimes Social Engineering Network Scanning

Review - Social Engineering The most common type of attack Basically: lying to someone to gain information on how to penetrate the network or systems Preys upon basic tendency in a company to trust other company personnel and believe what they are told over a phone or e-mail No detailed technical skills required - but must be creditable, knowledgeable of the organization and of methods and procedures to gain access | Easiest place to attack: users and support desk

Review - Footprinting Before a hacker attempts to gain access to a system, time must be spent gathering information about the target. This process is known as footprinting it is a critical step in subverting the security of a target system Footprinting is the hacking equivalent to casing a potential robbery location. Systematic footprinting allows the hacker to create a complete profile of the target system including information about the domain, network blocks, IP addresses exposed on the Internet, and system architecture. Once the profile is known, a hacker will be able to focus on specific machines and ports to gain access to the system.

Outline Computer Crimes Ping Sweep Port Scan

Computer Crimes

Crimes 1 Traci Southerland has been sentenced to 13 years in prison for stealing personal information from the Hamilton County (OH) Clerk of Courts' website and using it to commit identity fraud. Southerland and seven others used the stolen information to commit credit card and check fraud, netting them US$500,000. The county clerk's website now blocks access to documents that hold personally identifiable information.

Crimes 2 Six people have been indicted on fraud charges for their involvement in a phishing scam that tried to gather credit card and bank account numbers from AOL users. The individuals allegedly gathered thousands of AOL email addresses and sent maliciously crafted ecards that downloaded software that prevented the users from logging on to AOL without providing credit card or bank account information. The cyber thieves allegedly used the stolen financial account information to buy computers, gift cards and gaming consoles. Three of the men have already pleaded guilty and face between two and nine-and-a-half years in prison when they are sentenced in December. The other three people have not yet been arraigned.

Crimes 3 A contract worker at the Stevens Hospital emergency room in Edmonds, Washington stole patients' credit card numbers and gave the information to her brother who used it to buy thousands of dollars worth of goods over the Internet. Yvon Hennings pleaded guilty to conspiracy to commit access device fraud and wire fraud. She will be sentenced in November and her brother's trial is slated to begin in January 2007. The data breach affected patients who visited the emergency room between December 2003 and January 2005.

Ping Sweep

Ping Sweeping The first step in scanning is to determine which IP addresses in the network block are machines that are live hosts. This process can be done using the Internet Control Message Protocol (ICMP). ICMP was designed as a simple protocol to report network error conditions and supply basic network information. Unfortunately, ICMP can be used by hackers for network reconnaissance. ICMP is a particularly good protocol for identifying active IP addresses. Unlike the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), ICMP does not connect to a particular service on a given host, but rather attempts to contact the host operating system. Knowing the IP address of a host is enough to determine if the host is alive simply send it an ICMP echo request, a ping, and if it responds, you know the machine is alive. using ICMP to determine live hosts on a network is often termed ping sweeping

Example The whois on plu found the network IP address range from 152.117.0.0 to 152.117.255.255 How many of those addresses are actually used? Find out by sending a ping to each one ping 152.117.0.1 ping 152.117.0.2 ping 152.117.0.3 This could take a lot of time . . .

Ping Run Example of a successful ping: Example of an unsuccessful ping:

Use nmap The ping sweep can be automated using nmap The command is: This is a particularly noisy scan that can be detected by an IDS that looks for a threshold amount of ICMP echo requests originating from the same location over a given amount of time. Most IDS.s are capable of detecting this type of scan, so it is not often used in practice nmap -sP 152.117.0.0/29

Example Run Using NMapWin (available from www.insecure.org) 3 systems at PLU were up and running:

Work Around 1 If a hacker can limit the amount of echo requests issued, it may be possible to not trigger an IDS alarm because the threshold amount of ICMP requests will not be exceeded. By issuing ICMP echo requests to known broadcast addresses, the number of pings can be kept to a minimum. For example, addresses with 0 and 255 for the last byte are reserved and are typically used as broadcast addresses to send a message to all addresses in the network. Therefore, a clever hacker will send ICMP echo requests to the 0 and 255 addresses for a given block and potentially get back 254 echo replies. This is much more efficient and stealthy than a scan that sends individual requests to all 254 potentially active machines

Workaround 2 Another way to avoid easy detection is to use a non-echo ICMP request Such as a timestamp request Or a address mask request A useful tool is icmpush which will set up and set an icmp request For example: RESULT: The site is on-line icmpush -tstamp 192.168.5.5 kenny.sys-security.com -> 13:48:07

Port Scan

Progress From the whois and the ping sweep we know that plu has at least 3 hosts available: shemp.cs.plu.edu (152.117.6.1) antfarm.cs.plu.edu (152.117.6.3) mem105cam.cs.plu.edu (152.117.6.6) Now we want to find out what services are available in the form of which ports are open Remember: ports represent common services on a system such as ftp on port 21 and the web on port 80

Port Scan Methods Port scanning can be subdivided in three groups: horizontal, vertical, and block scans A horizontal scan is a scan that queries a specific port on numerous machines. This is used when an exploit is known for a particular service and the hacker wants to know what machines are running this vulnerable service. An example would be scanning for the notoriously vulnerable ftp on port 21. a vertical scan will be used in which all the ports on a given host are queried. For example, if a hacker wants to alter the content of the CS web site, all ports on the web server 152.117.6.1 would be scanned. a block scan is a combination of a vertical and horizontal scan. A block scan can determine the same information as an ICMP ping sweep (i.e., what machines are active in the network block), with the added benefit of determining the services running on the active hosts.

Port Scan Types No matter which method is selected there are several ways to go about scanning ports on a system Four common methods are: TCP SYN scan Stealth scan FTP bounce scan UDP scan

TCP/SYN Scan 1 To establish a TCP connection between a source and a system port, two parties execute a 3-way handshake SYN Packet 1 SYN/ACK 2 OK 3 Of course, the ACK is only returned if the port is open

TCP/SYN Scan 2 A connectionless SYN scan can be performed using nmap –sS. This scan sends a message with a SYN in the TCP header but does not reply to the host’s return message. Because the client never replies to the host’s return message, a full connection is never established and the half connection will not be logged. Result If the host port is open, a message with the SYN and ACK flags will be returned. If the host port is closed, a message with the RESET flag will be returned. If a host is contacted that is not alive, a border router will likely respond with a host unreachable message. If the network is configured to not respond with ICMP host unreachable messages, there will be no reply when attempting to scan an inactive host. If the port is firewalled, there will also be no response. Thus, the hacker must attempt to differentiate between an inactive host and a firewalled port based on other data obtained in the scan

TCP/SYN Scan 3 Results of a SYN scan of shemp:

Stealth Scan Filtering and other security systems such as firewalls will usually pick up on SYN packets sent to sensitive ports Programs are also available to log half-open SYN scan attempts However, probe packets with strange TCP flags set can sometimes pass through filters undetected A stealth scan uses an unusual flag combination which only closed ports respond to with a reset, these include: A FIN probe with the FIN TCP flag set A XMAS probe with all the flags set A NULL probe with no flags set An ACK probe

XMAS Scan Example Notice how many ports are open Result of an XMAS scan of shemp: Notice how many ports are open

ftp Bounce Scan 1 An known problem in older ftp servers involves: An attacker connects to an FTP server, which has a world writable directory, and establishes a control communication connection. The attacker can then ask the FTP server to initiate an active server data transfer process and send a file anywhere on the Internet, presumably to a user data transfer process. This can be exploited to scan behind a firewall connect to an FTP server behind a firewall then try to scan ports that the firewall blocks. If a directory is writable for the account you are using on the FTP server, you can also send data to the ports you find open

ftp Bounce Scan 2 The process looks like: Set up a legal ftp session Attacker Target ftp Server Set up a legal ftp session Send a PORT command to the ftp server telling it to connect a specific port of the target machine The port is open Follow that with a LIST command There will be one of two responses: 150 Opening ASCII mode data connection for file list 226 Transfer complete The port is closed 425 Can’t build data connection: Connection refused

UDP Scan UDP port scanning is extremely slow. Nmap will try to send a 0-byte datagram and mark the port as open unless a ICMP Destination Unreachable packet is received back. Does not require root privileges to scan.