Information Gathering Dr. Neminath Hubballi Indian Institute of Technology Indore

Overview What is information gathering Port Scanning Network Mapping Operating System Fingerprinting Collecting Information from Public Databases Social Engineering Elicitation Indian Institute of Technology Indore

What is It War is 90 % Information - Napoleon Bonaparte It is about understanding the target Traditional war v/s Computer Crime Different Techniques Challenge Being invisible Gather maximum information Indian Institute of Technology Indore

Port Scanning A port is a logical entity to which a running server application or service is bound Port number is a 16 bit number Acts as a channel through which data is exchanged between device and a processor Often it identifies a protocol For example port 80 is used by HTTP Port numbers are of types Reserved - few beginning port numbers General - remaining port numbers Can be of TCP UDP Indian Institute of Technology Indore

Why Scan Ports Discover running services Even for Security audit: Why are certain ports open when they are not supposed to i.e., why many port scanners are available freely Normally a target host is chosen for scanning Target is a single port on a host Scan is a set of connection attempts from a single source to a set of targets A port scanner is a software which allows to scan set of ports Indian Institute of Technology Indore

Port Scanning If an application is running on a port it accepts external communications If you talk it will respond Positively Negatively Simple way to know whether a port is open or not is to send a packet and wait for response What packet to send Depends Indian Institute of Technology Indore

Port Scanning Scanning means look at one or more ports and discover which are open How By sending packets Variety TCP or UDP What type of options or flags ex. ACK, SYN, URG etc. At what rate fast, slow Contiguous, random, follow some order/logic Indian Institute of Technology Indore

Types of Port Scans By address range Timing Source Vertical scan: Scan same port on different hosts Horizontal scan: Scan several ports on same host Block scan: Is a combination of above two Timing Periodic scan: Scan at regular intervals Intensive scan: Scan a particular set of ports and hosts Random scan: No particular order Stealth scan: Be evasive Source Single source Distributed Coordinated Indian Institute of Technology Indore

Socket based Connections bind() listen() read() close() connect() write() blocks until server receives a connect request from client data Server Client accept() connect negotiation Socket calls for connection-oriented communication Indian Institute of Technology Indore

State of Port Open: Listening and Accepts connection Close: Not listening or not at all there Filtered: You can not reach there Firewall does not allow to enter Status unknown Indian Institute of Technology Indore

TCP Scan Types SYN Scan FIN Scan ACK Scan TCP connection is a 3-way handshake Send a TCP SYN packet to a target If SYN-ACK arrives port is open and tear down the connection with RST If RST is received port is closed FIN Scan Send a TCP FIN packet to a target If port is closed a RST will arrive If port is open no response ACK Scan Send a packet with ACK flag set RST packet received port is closed No reply indicates port is filtered by firewall Indian Institute of Technology Indore

TCP Scan Types Connect Scan Reverse identd Scan Xmas Tree Scan Unix systems use connect() system call to establish a connection with a peer process If connect() succeeds a connection is established If connect() fails a connection is not established At the end of this scan a list of ports to which connection can be established are listed It is easy to detect as a full connection is established Reverse identd Scan Xmas Tree Scan Send a packet with FIN, URG, PUSH flags set Indian Institute of Technology Indore

TCP Scan Types Null Scan Send a packet without any flag set If port is closed RST packet is received Indian Institute of Technology Indore

TCP Scan Types Idle Scan Very stealth scanning technique A zombie is identified through which packets are sent Thus packets are not traced back to scanning host Works by exploiting ”predictable IP fragmentation ID” sequence generation on the zombie host Check IPID on zombie and send a spoofed packet to victim IF SYN/ACK packet is received port is open otherwise port is closed Indian Institute of Technology Indore

UDP Scan Not many varieties Send a UDP packet and wait Difficult to ascertain No response if port is open but no responses does not indicate an open port in target If port is closed ICMP_PORT_UNREACHABLE packet will arrive Only closed can be determined Open ports can not be detected correctly Many operating systems limit the number of ICMP_PORT_UNREACHABLE packets nmap -sU Indian Institute of Technology Indore

ICMP Scan Ping Scan Send a ICMP ECHO REQUEST packet If a ICMP ECHO RESPONSE is received host is up Otherwise it is down Indian Institute of Technology Indore

IP Scan Determine whether IP protocols are supported or not Send IP packet without any additional header and wait for response If ICMP_PORT_UNRECHABLE packet is received IP protocol is not supported Otherwise IP protocol is supported Today virtually every machine supports IP protocol There are some OS (HP-UX, AIX, Digital UNIX systems do not send ICMP_PORT_UNREACHABLE packet [bash]# nmap -sO 192.168.1.1 Indian Institute of Technology Indore

Well-known Ports UDP Port 7: Echo Service TCP Port 23: Telnet Send something on this port system echo it back A historical attack exploited a weakness of oversized packets (bigger than 65536 bytes) A variation of same attack was to send fragmented packets accumulating to greater than 65536 bytes TCP Port 23: Telnet Used for remote login Acts as a terminal emulator Historically many buffer overflows found in telnet Indian Institute of Technology Indore

Well-Known Ports TCP Port 11: Systat TCP Port 15: Netstat Display status of system Gives an idea to hackers about Users of system Other services running TCP Port 15: Netstat Display network connection system Protocol FTP Port 20, 21: FTP Used to transfer files between systems Need FTP server and a client Indian Institute of Technology Indore

Well-Known Ports TCP Port 25: SMTP Email service Listen for incoming email messages and copy to appropriate mailboxes Common vulnerability Mail bombing Spamming Denial of service attacks Indian Institute of Technology Indore

Well-Known Ports TCP Port 43: Whois TCP/UDP Port 80: Http Provides directory service Some sites maintain information about Users Departments Services TCP/UDP Port 80: Http Protocol for worldwide web Stateless protocol When URL is entered in web browser it is converted into a HTTP request and it is sent Indian Institute of Technology Indore

Port Scanning Tools Nmap: An open source tool Netcat: Strobe: Popular to the extent of being a de-facto name for port scanner More than a just port scanner Available for both Linux and Windows platforms Commands nmap -sT Full TCP connection scan nmap -sS TCP SYN scan nmap -sP Ping scan nmap -PT Ping scan with TCP packet nmap -sF TCP FIN scan nmap -sX xmasstree options nmap –sN Null scan turn off many flags Netcat: Strobe: Indian Institute of Technology Indore

Port Scanning Tools: Super Scanner Different scanning options available. Much similar to nmap. Host name can be resolved. Timeout period can be set, i.e., duration to wait before declaring the host as not up. Trace route options also available. Indian Institute of Technology Indore

Port Scanning Tools: Super Scanner Indian Institute of Technology Indore

Port Scanning Tools: Super Scanner Indian Institute of Technology Indore

Defense Mechanisms Firewall Configuration Drop packets for closed ports Only repeated scan attempts reveal to attackers that port is filtered Do not trust source port values – stateful firewalls will remember Most IDS can detect port scans Check IDS logs routinely Indian Institute of Technology Indore

Network Mapping Identifying the hosts in a target network Discovering IP addresses of hosts Build a view of network entities Where is printer Where is web server Where is mail server Basic mapping tool Ping Nmap is also a mapper Indian Institute of Technology Indore

Port Scanning Tools: Pinger Pinger allows to show the network using animated graphic icons. It generates ping messages to all devices in parallel. Graphically shows the active machines in the network. Indian Institute of Technology Indore Indian Institute of Technology Guwahati 11-09-2018 28

Port Scanning Tools: Pinger Indian Institute of Technology Indore

Operating System Fingerprinting Detection of Operating system running on the target machine. Is possible since different operating systems have different response techniques for certain kind of packets. The response obtained from the target machine is compared with the stored signature. Often hosts themselves announce their details in a header or banner. Indian Institute of Technology Indore

Operating System Fingerprinting There are two ways of OS fingerprinting as Active Passive Active fingerprinting techniques send a series of carefully crafted packets and analyze the response and match it with a signature to determine the OS. Following can be used for active detection FIN Probing ICMP Error Quoting TCP Timestamp Fragmentation Handling Indian Institute of Technology Indore 31

Collecting Information from Public Databases Whois databases for IP addresses Indian Institute of Technology Indore

Whois Database IP ranges of countries are specific ARIN: American Registry of Internet Numbers- Database of IP addresses in US RIPE- Europe APNIC- Asia Why do we need such a database It helps in traceback Inform the IT incharge of the source network of attack Indian Institute of Technology Indore