Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz.

Slides:



Advertisements
Similar presentations
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
CCNA – Network Fundamentals
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Chapter 7 – Transport Layer Protocols
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
Computer Security and Penetration Testing
Port Scanning.
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
Ana Chanaba Robert Huylo
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Guide to TCP/IP, Third Edition
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Chabot College ELEC Ports (Layer 4).
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
© Jörg Liebeherr (modified by M. Veeraraghavan) 1 ICMP: A helper protocol to IP The Internet Control Message Protocol (ICMP) is the protocol used for error.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Internet Protocols. Address Resolution IP Addresses are not recognized by hardware. If we know the IP address of a host, how do we find out the hardware.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Protocol Headers 0x0800 Internet Protocol, Version 4 (IPv4) 0x0806 Address Resolution Protocol (ARP) 0x8100 IEEE 802.1Q-tagged frame 0x86DD Internet Protocol,
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
DoS/DDoS attack and defense
Hands-On Ethical Hacking and Network Defense
Network Reconnaissance CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
Scanning.
or call for office visit,
IP Protocol CSE TCP/IP Concepts Connectionless Operation Internetworking involves connectionless operation at the level of the Internet Protocol.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
Protection (tools).
Hands-On Ethical Hacking and Network Defense
Port Scanning James Tate II
CITA 352 Chapter 5 Port Scanning.
or call for office visit,
Port Scanning (based on nmap tool)
CIT 480: Securing Computer Systems
Module 18 (More Network Discovery)
Internet Control Message Protocol (ICMP)
Chapter 15. Internet Protocol
Presentation transcript:

Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz

What is Scanning? How does it differ from footprinting? –Footprinting did not necessarily attempt to access the target system(s) directly Direct examination of target systems –Determine if system is alive – network ping sweep –Determining which services are up –Determining OS type/version –Determining protocol stack versions

Determining if system is alive Popularity=10; Simplicity=9; Impact=3; Risk Rating=7 - Purpose – Find out which IP addresses have live hosts on them – No point in detailed examination of empty address! - Network Ping sweep – ARP Host discovery – ICMP Host discovery – OS Utilities – Network discovery tools – TCP/UDP Host discovery - Ping sweep countermeasures

ARP Host discovery Address Resolution Protocol – Works on top of layer 2, in parallel with network layer Has its own ethertype value – Needed for “plug-and-play” autoconfiguration and mobility – Request is broadcast to all hosts on LAN – Host with matching address is required to respond – Attacker needs to be on same LAN - arp-scan by NTA Monitor (nta-monitor.com/tools/arp-scan) – Must be run as super-user – Takes CIDR subnet address range as input – Returns all responding hosts with IP and MAC addresses – Includes OUI of MAC if known - Nmap by Fyodor (nmap.org)

ARP Host discovery Nmap by Fyodor (nmap.org) – De facto tool of choice Works on Linux, Windows, Mac – Does much more than ARP scanning – ARP scan through -PR option – Turn off port scan using -sn option – Reports IP address, MAC address, OUI's name, and latency - CAIN (oxid.it/cain.html) – Windows tool – Does much more than ARP scanning – GUI-based tool - Limitations of ARP scanning – Targets on distant network segments

ICMP Host discovery Internet Control Message Protocol (ICMP) intended uses – Diagnostics and trouble shooting needed on internet – ICMP used for diagnostics, error reporting, management, etc. - ICMP messages – Echo request/reply (ping) – Destination unreachable – Source quench – Redirect – Time exceeded (TTL reached 0) – Timestamp/reply (used in enumeration) – Information request/reply – Address mask request/reply (used in enumeration)

ICMP Host discovery OS ping utility uses ICMP echo request/reply messages – If receive request, must reply – Can also be used in smurf attack (using broadcast) - host may be configured not to respond to echo requests – May still respond to other messages

Network discovery tools Nmap – Beside ICMP ping sweep also does ARP sweep and TCP pings – Limit activity (to avoid detection by IDS) using -sn (no port scan), - PE (use echo request), and --send-ip (no ARP scan) – If on different subnet, --send-ip not needed – Individual and CIDR subnet addressing – Gives responding host IP, MAC, OUI name, latency – Has -PM option for address mask and -PP option for timestamp In case host configured to ignore ECHO REQUEST messages

Network discovery tools hping3 and nping – Very flexible tools Select flags, message types Spoof source address (IP and MAC) Set number of messages to send – nping ships with nmap - superscan – Windows tool – Free from Foundstone – Fast ping sweep – GUI with options for echo request, timestamp, address mask, and information request messages – Also supports UDP and TCP port scans and more – Can give HTML output

TCP/UDP Host discovery Especially useful when ICMP responses are limited - Servers provide services over network – Must be able to take clients – May be open through firewall - May have to probe multiple ports to find open service – Any response indicates host is alive – More probing = higher visibility to IDS - Local hosts (not servers) may also have services – File sharing – Remote desktop – Management tools – Often have local firewall

TCP/UDP Host discovery nmap – -sn option also include port 80 (www) – -Pn option for 1000 common ports – -p option to specify one particular port – --open option to suppress IP addresses that don't respond - nping – Also provides port scan option – Output noisier - superscan – Also provides options to probe particular ports or port ranges – Can take file with list of IP addresses to scan

Ping sweep countermeasures - Detection – May want to leave ICMP diagnostic abilities in place for legit use – May want to use as “early warning” of impending attack – Most standard network and desktop firewall tools can be configured to detect ping sweeps – Many OS tools available for this also – Detection does little good if nobody is watching - Prevention – Limit which ICMP messages will be allowed – Limit where they will be received from/sent to – Pingd allows handling at user level (flexible access control) – Can prevent exchange of info by compromised system using data field in ECHO REQUEST (loki2, etc.)

Determining services that are up Popularity=10; simplicity=10; impact=7; Risk Rating=9 - Port scanning – Send packets to TCP and UDP ports to find listening servers – Find live hosts – Determine which services are open – Help identify OS type, version – Identify specific applications/versions of particular service

Scan Types TCP connect scan – Completes 3-way handshake – Takes longer – Can be run as regular user - TCP SYN scan (half-open scan) – Sends SYN, waits for SYN-ACK – SYN-ACK = open, RST = not open (usually) – Stealthier – Can produce DOS attack on target - TCP FIN scan – Sends FIN – Should receive RST (see RFC 793) – Usually works on Unix-based stacks

Scan Types TCP Xmas tree scan – Sends FIN, URG, and PUSH TCP packet – Should receive RST on closed ports - TCP Null scan – Sends TCP segment with no flags set – Should receive RST on closed ports - TCP ACK scan – Sends packet with ACK set – Helps determine firewall policies, capabilities - TCP Windows scan – Looks at how rwnd is handled with RST to ACK segment See - TCP RPC scan - UDP scan

Scan Types TCP RPC scan – Many Unix systems implement portmapper – Used with RPC/RMI to find services – Server registers service with portmapper (with pgm/version) – Client contacts portmapper to request service, get port# - UDP scan – Connectionless – Send ICMP “port unreachable” message if not listening – May be up if error message not received

Identifying Services TCP SYN port scan using nmap – Use -sS option – Use -oN to save human readable output – Use -oG to save tab-delimited version – Use -oX to save XML – -oA saves in all formats – Lists open ports with nominal services – -f option to fragment packets Some firewalls will not reassemble fragments, just pass packet May make it harder for IDS to detect scan – -D option provides for decoy source addresses Burdens target with having to track down all scans Take care to use real IP addresses to avoid SYN attack DOS – -b option to use FTP bounce scanning Uses older FTP servers to reflect packets

Identifying Services SuperScan (Foundstone.com) – Windows/GUI-based alternative to nmap – Port scans in addition to ICMP and ARP scans – Select port or port range to scan, and protocol – Select special techniques for TCP, UDP – UDP data+ICMP method Multiple UDP packets to a port May overwhelm ICMP response capability Very accurate, but slow - ScanLine – Windows/command-line tool (also Foundstone) – Single executable Easier to load onto compromised system – Many options - Netcat (nc) – Older, command-line tool - “Swiss army knife”

Port Scanning Countermeasures - Detection – IDS (e.g., Snort – snort.org) – Unix scanlogd (openwall.com/scanlogd) TCP scans – See openwall.com/scanlogd/P53-13.gz for more – Configure firewall to detect alerts Use grouping to avoid DOS on – Attacker (Foundstone.com) Can monitor specific ports Mostly useful against naive attackers - Prevention – Disable all unnecessary services – System specific

Detecting the OS - 1 Active OS Detection Popularity=10; Simplicity=8; Impact=4; Risk Rating=7 - Banner grabbing (later) - Available ports signature – Some systems use particular ports for services - Active Stack Fingerprinting – Responses to probes is implementation dependent – Multiple types of probes used to narrow field – See insecure.org/nmap/nmap-fingerprinting-article.html Hard to prevent, not so hard to detect

Detecting the OS - 2 Active Stack Fingerprinting Probes - FIN probe – Correct not to respond, but some send FIN/ACK - Bogus flag probe (in SYN packet) – Correct to ignore, but some set flag in SYN-ACK - Initial Sequence Number (ISN) sampling – Patterns may be found in ISNs for connections that depend on OS - DF bit monitoring – Some OS's may set DF in IP header to improve performance - TCP initial window size – Some systems have characteristic initial rwnd size – Note that rwnd is indication of buffer space at receiver, set by OS - ACK value – May use last SN (less common) or last SN+1 (usual)

Detecting the OS ICMP error message quenching – Systems may limit the number of ICMP error messages (RFC 1812) – Send UDP packets to random port, determine rate of ICMP unreachable port messages -ICMP message quoting – ICMP error messages include some initial portion of the offending datagram – Amount of data included varies according to system - ICMP error message-echoing integrity – Some systems change IP headers quoted in ICMP error messages - TOS on ICMP port unreachable message – Usually TOS=0, but may vary - Fragmentation handling – Observe how probe packets with overlapping fragments are reassembled - TCP options – Which options set (e.g., RFC 793, or 1323 also) varies

Detecting the OS - 4 Passive OS Detection Popularity=5; Simplicity=6; Impact=4; Risk Rating=5 - Less obtrusive than active OS fingerprinting - Monitor traffic to/from target – Requires favorable position - Passive signatures – TTL on outbound datagrams – Initial window size (rwnd) – DF (don't fragment) bit set? – Siphon tool (packetstormsecurity.org) Hard to prevent, hard to detect

Storing and Processing Scan Data - Large amounts of data may be produced - Desirable to have ways to sift through data, select items of interest - Metasploit (metasploit.com) – Postgres database for querying – Can run nmap from metasploit – Can import nmap output into database – Then run queries to select desired items