DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation.

Slides:



Advertisements
Similar presentations
Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,
Advertisements

Scanning This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1 Modul 2 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Politeknik Elektronika Negeri Surabaya ITS - Surabaya.
IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
System Security Scanning and Discovery Chapter 14.
Stealth Network Strategies: Offensive and Defensive Mark Loveless RAZOR Security BindView Corporation.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
ITIS 6167/8167: Network and Information Security Weichao Wang.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing
Deff Arnaldy
Black Hat Europe 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
Ana Chanaba Robert Huylo
Guide to TCP/IP, Third Edition
Hands-on Networking Fundamentals
Data Gathering A hacker can’t do anything to you if they don’t know anything about you. The hacker requires: –A target –Your ip address –Your OS type –What.
1 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS.
Scanning and Spoofing Lesson 7. Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Packets and Protocols Recognizing Attacks with the protocol analyzer.
CS391 Computer & Network Security
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
CIS 450 – Network Security Chapter 3 – Information Gathering.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Linux Networking and Security
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
1 Lab 1: Reconnaissance, Network Mapping, and Vulnerability Assessment Reconnaissance Scanning Network Mapping Port Scanning OS detection Vulnerability.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Footprinting and Scanning
1 DETAILS OF PROTOCOLS The Zoo Protocol - TCP - IP.
Network Reconnaissance CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 4 Learning About Other Devices.
Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.
Scanning.
Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture.
COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.
Network and Port Scanning Chien-Chung Shen
Network Devices and Firewalls Lesson 14. It applies to our class…
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Port Scanning James Tate II
Footprinting and Scanning
Port Scanning (based on nmap tool)
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Security Scan melalui Internet
CIT 480: Securing Computer Systems
Information Gathering
Footprinting and Scanning
The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies Introduction: Introduce self, Chris introduce.
EVAPI - Enumeration Auburn Hacking club
Presentation transcript:

DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation

About This Presentation  Assume basics –Understand IP addressing –Understand basic system administration  Tools –Where to find them –Basic usage  A “Network” point of view

About Me  NMRC:  BindView:

Know Your Target  Public information  Network enumeration  Network mapping

Public Information  Public records  WHOIS  DNS  Public postings

Network Enumeration  Goals of network enumeration  ICMP  Scanning  TCP Fingerprinting  Additional Probes

ICMP  Sweeping a network with Echo  Typical alternates to ping –Timestamp –Info Request  Advanced ICMP enumeration –Host or port unreachable with illegal header length

Scanning  Why scan?  Nmap – defacto standard –Ping sweeps –Port scanning –Additional features

TCP Fingerprinting  Several different type of packets sent  Various responses come back  Differences can determine OS of remote system  Using just ICMP is possible

Addition Probes  Possible security devices  Sweep for promiscuous devices

Network Mapping  Determine network layout  Traceroute  Firewalk

Bypassing the Firewall  Tools –Firewalk –Nmap  Common ports  State table manipulation

Avoiding Intrusion Detection  Manipulation of “detected” data  Use of fragmented packets  Triggering false positive, or distraction

Connecting the Dots  View each step as a small part of a big picture  Each step is important  Data could be stored for later use

Example Intrusion  WHOIS –DNS server names  Traceroute  DNS zone dump  Host enumeration  Public systems  Initial port scanning

WHOIS # whois Whois Server Version 1.1 Domain names in the.com,.net, and.org domains can now be registered with many different competing registrars. Go to for detailed information. Domain Name: TARGET-COMPANY.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: Name Server: NS1.TARGET-COMPANY.COM Name Server: NS2.TARGET-COMPANY.COM Updated Date: 06-dec-1999 >>> Last update of whois database: Mon, 20 Mar 00 03:35:14 EST <<< The Registry database contains ONLY.COM,.NET,.ORG,.EDU domains and Registrars.

Traceroute # traceroute ns1.target-company.com traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets 1 fw-gw ( ) ms ms ms 2 s1-0-1-access ( ) ms ms ms 3 dallas.tx.core1.fastlane.net ( ) ms ms ms 4 atm CR-1.usdlls.savvis.net ( ) ms ms ms 5 Serial1-0-1.GW1.DFW1.ALTER.NET ( ) ms ms ms ATM3-0.XR2.DFW4.ALTER.NET ( ) ms ms ms ( ) ms ms ms 8 dfw2-core2-pt4-1-0.atlas.digex.net ( ) ms ms ms 9 dfw2-core1-fa8-1-0.atlas.digex.net ( ) ms ms ms 10 swbell-net.demarc.swbell.net ( ) ms ms ms 11 ded2-fa1-0-0.rcsntx.swbell.net ( ) ms ms ms 12 target-company cust-rtr.swbell.net ( x.xxx) ms ms ms 13 ns1.target-company.com (xxx.xx.xx.xx) ms ms ms

Traceroute # traceroute ns2.target-company.com traceroute to ns2.target-company.com (xxx.xx.x.x), 30 hops max, 40 byte packets 1 fw-gw ( ) ms ms ms 2 s access ( ) ms ms s1-0-1-access ( ) ms 3 dallas.tx.core1.fastlane.net ( ) ms ms ms 4 FE-0.core2.fastlane.net ( ) ms ms ms 5 hs-9-0.a09.dllstx01.us.ra.verio.net ( ) ms ms ms 6 ge a10.dllstx01.us.ra.verio.net ( ) ms ms ms 7 g6-0.dfw2.verio.net ( ) ms ms ms 8 core4-atm-uni0-0-0.Dallas.cw.net ( ) ms ms ms 9 core2-fddi-0.Dallas.cw.net ( ) ms ms ms 10 border6-fddi-0.Dallas.cw.net ( ) ms ms ms 11 target-company-inet.Dallas.cw.net ( xxx.xxx) ms ms ms 12 ns1.target-company.com (xxx.xx.x.x) ms ms ms

DNS Zone Dump # nslookup Default Server: vortex.fastlane.net Address: > server ns1.target-company.com Default Server: ns1.target-company.com Address: xxx.xx.xx.xx > ls -a TARGET-COMPANY.COM > dump.txt [ns1.target-company.com] ################################################################################ ###################################################################### Received answers (0 records). >

Host Enumeration #./icmpenum -i 2 -c xxx.xx xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up

Public Systems  –www2, www3  ftp.target-system.com ftp.target-system.com  mail.target-system.com

Scanning # nmap -O -T Polite -n xxx.xx Starting nmap V. 2.3BETA14 by ( ) Interesting ports on (xxx.xx.17.11): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 79 open tcp finger 110 open tcp pop open tcp auth 143 open tcp imap2 TCP Sequence Prediction: Class=truly random Difficulty= (Good luck!) Remote operating system guess: Linux Nmap run completed -- 1 IP address (1 host up) scanned in 625 seconds # nmap -O xxx.xx Starting nmap V. 2.3BETA14 by ( ) No ports open for host (xxx.xx.17.11) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

More Scanning # nmap -F -sS -v -v -n firewall.target-system.com Starting nmap V. 2.3BETA14 by ( ) Host (xxx.xx.49.17) appears to be up... good. Initiating SYN half-open stealth scan against (xxx.xx.49.17) Adding TCP port 189 (state Firewalled). The SYN scan took 270 seconds to scan 1047 ports. Interesting ports on (xxx.xx.49.17): Port State Protocol Service 139 filtered tcp netbios-ssn 161 filtered tcp snmp 189 filtered tcp qft 256 filtered tcp rap 257 filtered tcp set 258 filtered tcp yak-chat Nmap run completed -- 1 IP address (1 host up) scanned in 273 seconds

Network Mapping cw swb Internet Routers

Network Mapping cw swb Internet Routers

Network Mapping Firewall DMZ cw swb VPN Internet Routers

Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers

Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers Linux xxx.xx.48.2 AIX xxx.xx.48.1 Checkpoint Firewall-1 Solaris 2.7 xxx.xx Checkpoint Firewall-1 Nortel VPN xxx.xx Cisco xxx.xxx Nortel CVX x.xxx IDS?

Basic Distributed Attack Models  Attacks that do not require direct observation of the results  Attacks that require the attacker to directly observe the results

Basic Model ServerAgent Client Issue commands Processes commands to agents Carries out commands

More Advanced Model TargetAttacker Forged ICMP Timestamp Requests ICMP Timestamp Replies Sniffed Replies

Even More Advanced Model Target FirewallFirewall

Even More Advanced Model Target FirewallFirewall Upstream Host

Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Master Node

Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Attacks or Probes Master Node

Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

Even More Advanced Model Target Attack Node Sniffed Replies Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

Even More Advanced Model Target Attack Node Sniffed Replies Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

(Mostly) Free Stuff  HackerShield RapidFire Update 208 –With SANS Top Ten checks, including comprehensive CGI scanner –  VLAD the Scanner –Freeware open-source security scanner, including same CGI checks as HackerShield –Focuses only on SANS Top Ten –  Despoof –Detects possible spoofed packets through active queries against suspected spoofed IP address –

Questions, etc.  Thanks to: –Ofin Arkin –Donald McLachlan  For followup: – –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.