Network and System Security Risk Assessment --Network Tools
Ask yourself questions: As a white/black/grey/red hat hacker, how would I collect information? For example, what is the IP address range of our school?
Network Tools ifconfig traceroute arp netcat tcpdump wireshark nmap route
Ifconfig Network configuration and status ifconfig – status of all network interfaces ifconfig eth0 – status of ethernet 0 connection ifconfig eth0 down – shuts ethernet 0 down ifconfig eth0 up – starts ethernet 0 ifconfig eth0 172.16.13.97 – assigns IP address to ethernet 0 man ifconfig – more info
ifconfig output eth1 Link encap:Ethernet HWaddr 00:0A:B7:FE:36:DB inet addr:140.211.110.121 Bcast:140.211.110.255 Mask:255.255.255.0 inet6 addr: fe80::20a:b7ff:fefe:36db/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5024 errors:1246 dropped:0 overruns:0 frame:1246 TX packets:446 errors:0 dropped:0 overruns:0 carrier:0 collisions:11 txqueuelen:1000 RX bytes:1329231 (1.2 MiB) TX bytes:45872 (44.7 KiB) Interrupt:3 Base address:0x100 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:157 errors:0 dropped:0 overruns:0 frame:0 TX packets:157 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:43623 (42.6 KiB) TX bytes:43623 (42.6 KiB)
route Configure or report status of host's routing table route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
route Options(Win)
route Options(Win) (continued)
route Example (Win)
Route command man route What will happen if we “route del default”?
traceroute host_name Determines connectivity to a remote host Uses UDP Options -f set initial ttl -F set don't frag bit -I use echo request instead of UDP -t set type of service -v verbose output What if we try ping 192.168.137.1 –m 1 And ping fbbs.ustc.edu.cn –m 1
traceroute Example traceroute www.f-prot.com 1 BBCisco-91.sou.edu (140.211.91.1) 0.654 ms 0.544 ms 0.504 ms 2 scrubber.sou.edu (140.211.102.34) 0.416 ms 0.386 ms 0.522 ms 3 sou-pop.nero.net (140.211.4.1) 1.638 ms 1.598 ms 1.561 ms 4 corv-car2-gw.nero.net (140.211.1.25) 15.474 ms 24.891 ms corv-car2-gw.nero.net (140.211.0.185) 22.227 ms 5 corv-car1-gw.nero.net (207.98.64.193) 20.046 ms 20.204 ms 21.661 ms 6 ptld-core1-gw.nero.net (207.98.64.21) 21.631 ms 18.890 ms 31.521 ms 7 ptld-core2-gw.nero.net (207.98.64.177) 18.932 ms 28.446 ms 23.135 ms 8 ptck-core1-gw.nero.net (207.98.64.10) 19.978 ms 18.329 ms 30.266 ms 9 POS6-1.hsipaccess2.Seattle1.Level3.net (63.211.200.245) 26.382 ms 31.671 ms 21.383 ms 10 ge-4-0-1.mp1.Seattle1.level3.net (209.247.9.61) 25.033 ms 28.164 ms 28.482 ms 11 gig11-1.hsa1.Seattle1.level3.net (209.247.9.46) 19.209 ms 44.756 ms 22.834 ms 12 core1.Seattle.Teleglobe.net (209.0.227.142) 54.156 ms 62.715 ms 34.783 ms 13 if-13-0.core2.Sacramento.Teleglobe.net (64.86.83.193) 45.352 ms 50.686 ms 47.254 ms 14 if-1-0.core2.Sacramento.Teleglobe.net (64.86.83.222) 46.497 ms 62.374 ms 75.823 ms 15 if-9-0.core2.Chicago3.Teleglobe.net (64.86.83.137) 98.147 ms 98.298 ms 103.634 ms 16 if-2-0.core3.NewYork.Teleglobe.net (64.86.83.218) 97.669 ms 103.466 ms 100.087 ms 17 if-10-0.core1.NewYork.Teleglobe.net (66.110.8.133) 97.588 ms 103.310 ms 100.475 ms 18 if-5-0-0.bb6.NewYork.teleglobe.net (207.45.221.104) 179.906 ms 101.384 ms 187.031 ms 19 ix-1-0-1.bb6.NewYork.Teleglobe.net (207.45.205.114) 163.676 ms 162.706 ms 165.844 ms 20 MultiGigabit-13.backbone-hofdab1.linanet.is (62.145.129.187) 166.070 ms 164.363 ms 176.033 ms 21 gigabit-1-1.skulagata.linanet.is (213.220.64.7) 167.057 ms 180.174 ms 191.346 ms 22 customer-gigabit-1-123.skulagata.linanet.is (62.145.130.150) 171.756 ms !X * 163.602 ms !X
Tracert in Windows tracert fbbs.ustc.edu.cn Tracing route to fbbs.ustc.edu.cn [202.38.64.3] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.168.0.1 2 2 ms 3 ms 3 ms 58.210.228.1 3 2 ms 2 ms 3 ms 222.92.172.53 4 9 ms 11 ms 7 ms 221.224.229.245 5 9 ms 10 ms 9 ms 202.97.27.2 6 12 ms 12 ms 13 ms 202.97.82.53 7 19 ms 11 ms 11 ms 202.97.48.254 8 * * * Request timed out. 9 29 ms 29 ms 31 ms 202.127.216.201 10 302 ms 285 ms 285 ms szgz3.cernet.net [202.112.46.222] 11 274 ms 279 ms 268 ms hzsh3.cernet.net [202.112.46.134] 12 282 ms 280 ms 266 ms 210.45.224.63 13 278 ms 275 ms 285 ms bbs.ustc.edu.cn [202.38.64.3] Trace complete.
nslookup nslookup www.baidu.com nslookup www.facebook.com Very interesting; Different results at different time Different techniques are utilized Very interesting! Nslookup www.baidu.com 8.8.8.8 in fact has response; but 8.8.8.8 will be blocked for a while after google is tried; Should cowork with wireshark, illustrating the workflow behind the scene. Try nslookup www.ustcsz.edu.cn 219.219.223.10 With wireshark, we can also understand how information is represented in a packet.
host Forward and reverse DNS lookups host www.f-prot.com www.f-prot.com has address 213.220.100.1 www.f-prot.com has address 213.220.100.2 www.f-prot.com has address 213.220.100.3 host 213.220.100.3 3.100.220.213.in-addr.arpa domain name pointer aula.frisk-software.com. Host 202.38.64.3 still works.
Host Interesting Example host fbbs.ustc.edu.cn host 202.38.64.3 host www.facebook.com host 69.63.189.16
whois whois is to discover who owns a website or domain name by searching WHOIS database When you register a domain name, the Internet Corporation for Assigned Names and Numbers (ICANN) requires your domain name registrar to submit your personal contact information to the WHOIS database. Then the information will be public. whois 69.63.189.19 whois 202.38.64.3 whois 219.219.223.10 Whois www.baidu.com/www.google.com works all right. but fails at www.ustcsz.edu.cn/www.ustc.edu.cn But whois with ip works OK.
netstat Example Show the status of all network connections Shows all listening ports netstat -s statistic netstat -p with pid; netstat -a list all ports; netstat -at list all tcp port; netstat -au list all udp ports; netstat -l list all listening ports; netstat -lt; netstat -lu; netstat -r display routing information; netstat -i interface information; When you are using –p, you may notice that “no all processes will be displayed, non-owned processes’ info can’t be shown, you have to be root to see them all.” Then we can check the secret backdoor process. To display backdoor, we have to use ps –a. ps won’t display backdoor.
Netstat - linux
netstat Example (Win)
tcpdump Packet sniffer Installed with Linux Commonly used Often used as the data file for GUI backends
tcpdump Syntax Syntax: tcpdump (options) –I (interface) –w (dump file) tcpdump –c 1000 –i eth0 –w etho.dmp
tcpdump Options -n do not convert host addresses to names -nn do not convert protocols and ports to names -i ethn listen on interface eth0, eth1, eth2 -c xx exit after xx packets -e print link level info -f file_name read packets from file file_name -v slightly verbose -vv verbose -vvv very verbose -w file_name write packets to file file_name -x write packets in hex -X write packets in hex and ASCII -S write absolute sequence and acknowledgment numbers
netcat Read & write UDP/TCP data http://www.atstake.com/research/tools/ Useful to test networks and performance
netcat Copies data across network connections. Uses UDP or TCP. Reliable and robust. Used directly at the command level. Can be driven by other programs and scripts. Very useful in forensic capture of a live system. Simple paradigm On the remote collecting system open a listening port. On current/compromised system pipe data to remote system. Connection is closed automatically after data transfer has completed.
netcat nc the swiss armyknife nc -l 1234 (listen) nc localhost 1234 which will establish a communication tunnel; which is convenient way to talk to each other; when combined with redirection, it can be used to transfer file: nc -l 1234 > test cat file | nc localhost 1234
netcat echo -e "GET / HTTP/1.0\n\n" | nc localhost 80 which will show the homepage with header; nc doesn't do https means it will show success with nc -vv localhost 443; but not homepage
NMAP Nmap is the most popular scanning tool used on the Internet. Cretead by Fyodar (http://www.insecure.org) , it was featured in the Matrix Reloaded movie.
Is Nmap the best tool? Yes it is It’s free, open and well documented. Long history of development and support Active user base, used in many products Continuous development and improvements “Industry Standard” port scanner It’s free, open and well documented. Stay current!
History of Nmap First released September 1, 1997 in Phrack 51 “The Art of Portscanning” http://www.insecure.org/nmap/p51-11.txt Many updates since then: OS Detection (Phrack 54) Idle scanning Version scanning ARP Scanning
…As seen in the movies!
nmap nmap localhost nmap localhost 192.168.137.221 nmap –O 192.168.137.221 nmap –O 192.168.137.1
ARP
TCP/IP Protocol Stack
ARP What happens after $: ftp server?
Address Resolution Protocol: ARP and RARP 32 bit Internet address ARP RARP 48 bit ethernet address
ARP Protocol Flow
ARP Protocol Flow Machine A wants to send a packet to B, knowing only B’s IP address Machine A broadcasts ARP request with B’s IP address All machines on the local network receive the broadcast Machine B replies with its physical address Machine A adds B’s address information to its ARP table Machine A deliver packet directly to B
ARP Protocol Ethernet Hardware Addresses: Ethernet Frame Format 48-bit unique number; what Ethernet interface card recognizes; addresses used in LAN Ethernet Frame Format Link-level connection among machines Frame types: 0800 IP; 0806 ARP; 8035 RARP;
ARP Protocol
ARP example Wireshark With rule arp
ARP caching To reduce communication cost, ARP maintain a cache of recently acquired IP-to-physical address bindings. Each entry has a timer (usually 20 minutes) Sender’s IP-to-address binding is included in every broadcast; receivers update the IP-to-physical address binding information in the cache before processing ARP packet ARP is stateless: system will update with a reply, regardless of request
ARP ARP –a example: Internet Address Physical Address Type 192.168.0.9 00-0b-cd-d3-6e-91 dynamic 192.168.0.142 00-1e-90-be-ec-93 dynamic 192.168.0.254 00-0b-45-f6-98-00 dynamic
ARP poisoning Question: How would you attack given ARP cache works?
ARP Poisoning How would you modify a target machine’s ARP cache? If you poisoned an ARP cache, how can you use this technique to compromise the security of your victim?
ARP Cache Poisoning Sending a forged ARP reply, a target system would send frames destined for the victim to the attacker; There are various ways to conduct cache poisoning: broadcast, reply, gratuitous ARP message
ARP: an attack example
ARP poisoning Attacker impersonates a gateway, intercept the traffic, either send it to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the middle attack) DoS: by associating a nonexistent MAC address to the IP address of the victim’s default gateway
Lab: ARP cache poisoning Environment Setup To conduct the lab, at least 3 machines are needed: attacker, victim, observer Choices: 3 virtual machines or 2 virtual machines and the host
Tools to use Netwox http://www.vulnerabilityassessment.co.uk/netwox.htm Tool to send out network packets of different types and with different contents (Netwag is the GUI version) Netwox consists 222 tools, each with a specific number, some should work with root privilige Netwox number [parameters …]
Tools to Use netwox 80 –eth –ip –eth-dst --ip-dst seed@seed-desktop:/etc$ netwox 72 --help Title: Scan ARP (EthIp spoof) Usage: netwox 72 -i ips [-d device] [-E eth] [-I ip] Parameters: -i|--ips ips list/range of IP addresses {1.2.3.4,5.6.7.8} -d|--device device spoof device {Eth0} -E|--src-eth eth source ethernet address {0:a:a:a:a:a} -I|--src-ip ip source IP address {1.2.3.4} --help2 display help for advanced parameters netwox 80 –eth –ip –eth-dst --ip-dst