ITIS 6167/8167: Network Security Weichao Wang

2 OS detection through TCP/IP fingerprint DNS and its security

3

4 OS detection through TCP/IP fingerprint Reasons to detect OS –Determine vulnerability of target hosts –Tailor exploits –Network inventory

5 Nmap Nmap (“Network Mapper”) uses IP packets to determine what hosts are available on the networks, what services those hosts are offering (application name and version), what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap is free software, available with full source code at

6 NMAP has been used in many movies

7 Host Discovery TCP SYN Probe: –Remote side reply ACK or RST TCP ACK Probe –Remote side return RST UDP Probe –Use an uncommon UDP port (most time closed) –Get an ICMP port unreachable report ICMP Echo Request/Ping ICMP Timestamp Request ICMP Netmask Request

8 ARP Probes –Why ARP scan? When you use ICMP ping scan, the OS needs to send out ARP request to figure out the MAC address –You are sending millions of ARP request. OS is not designed for this –NMAP directly control ARP and send out ARP requests

9 Intense Discovery! # nmap –sP –PE –PP –PS21,22,23,25,80,113,21339 –PA80,113,443,10042 –source-port 53 –n –T4 –iR [ … lots of IPs … ] Host a.b.c.d appears to be up. Host w.x.y.z appears to be up. Nmap finished: IP addresses (699 hosts up) scanned in seconds

10 NMap – Port Scanner Purpose of port scanner Identify unused/unauthorized services in the network Example: Unauthorized ftp service, Trojan software Discover unused/rogue devices in the network Example: Unauthorized notebook computer

11 NMap – Port Scanner Output

12 NMap – Port Scanner Example

13 NMap – Port Scanner Example

14 Port scan –There are many more tools other than TCP SYN scan –Be careful of the scan results. Sometime they are misleading Implementation not following the RFC OS intentionally confuse scanner

15 TCP scan –Send only the SYN packet If receive SYN/ACK, the port is open If receive RST, non-listener on the port If receive no response or ICMP error reports, the port is filtered

16 UDP scan –Many UDP ports are open: DNS, SNMP, DHCP, etc –Send an empty UDP header (no data) to target ports –Problem of UDP scan Too slow. Many OS restrict the speed to send out ICMP unreachable packets. E.g. Linux and Solaris are 1 pkt/sec. If no response, UDP packets will be resent. This also takes a long time.

17 TCP NULL, FIN, and Xmas Scan Use combinations of TCP flag bits to distinguish an open port from a closed port –Null scan Does not set any bits –FIN scan Sets just the TCP FIN bit –Xmas scan Sets the FIN, PSH, and URG flags

18 TCP ACK scan –Try to tell whether or not the port is filtered –Just set the ACK bit –If the port is not filtered (the ack pkt reaches the port), you will receive a RST –If ICMP error report is received, label the port as filtered

19 TCP Window scan –Almost the same as the ACK scan –But look at the window size in the returned RST packet A positive window size shows an open port A Zero window size shows the port is closed

20 Idle Scanning Uses IPID on a quiet host (zombie) to check for open ports on other hosts. Nmap spoofs as the zombie sending packets to the victim Polls the zombie to see if IPID has incremented (received RST from victim when not expecting)

21

22 FTP bounce scan –Use FTP proxy connection –A user connects to server 1, ask files to be sent to host 2 –Uses the ftp server to scan a host’s port

23 OS detection –Send multiple TCP, UDP, and ICMP probes to open or closed port of the machine –In TCP packets, the following information is used: Sequence number TCP options Window size Congestion control MSS size, timestamp

24 In ICMP packets, the following information is used: –Handle of DF bit –TOS service –ICMP code –ICMP identifier

25 In UDP packet, the following information is used: –UDP port number –Handle of data contents In summary, dozens of attributes are used to fingerprint the OS

26 OS detection –Send dozens of ICMP, TCP, UDP packets to the host –Analyze every bit of the reply –Map the results to known fingerprint of OS

27

28 DNS: Domain name service Motivation: –People cannot remember IP address, they want something easier to remember DNS in early days (ARPANET) –A flat space without structure –A centralized site to maintain: a file named hosts.txt at SRI –Advantages: short names –Problem: scalability, conflict, maintain copies

29 Hierarchical names –Decentralized name mechanism: delegating authority and distributing responsibility –Authoritative name servers for each domain can assign other authoritative name servers for their sub- domains –Advantages: distribute, fault tolerant, avoid central register –Works like a large company Partitioned at every level The authority for names in subdivisions is passed to designed agents

30 DNS: two things –Name syntax and rules for delegation –Ways for implementation so that we can efficiently map names to IPs DNS Syntax –Set of labels separated by period –Every level will not be longer than 63 bytes –At most 127 levels –The whole domain name should not longer than 253 bytes

31 Example –sis.uncc.edu is a domain –uncc.edu is also a domain –Top-level domain is edu

32 Top level domains

33 New top level domains

34 Domain is not necessarily a geo concept: –Ten hosts with different names under research.hp.com can be distributed at different branches

35 Mapping domain name to address –Name server: accomplish the translation –Client: generate the request –Servers arranged in tree structure –Given server handle the entire subtree –There are 13 (maybe more now) root servers around the world Distribute workload Improve safety

36

37 In practice: –Single server can handle multiple levels of naming tree –For example, root server handles all top level domains –Circular dependencies and glue records –DNS can be used to achieve blacklist

38 Efficient translation –Facts: Most lookups refer to local names –In machines, you can set up frequently used suffix Name-address maps change infrequently User likely to search the same sites –Initial contact begins with the local DNS server

39 Caching: servers cache answers –Local server maintain caches –Bindings change infrequently –TTL for each entry Set by the authoritative server Negative entries have the TTL of 600 seconds –Because of caching, not everyone is necessarily seeing the same thing

40 Two types of queries –Recursive: usually used by the client –Iterative: used by local DNS server

41 Recursive query: –A resolver sends a recursive query to a name server. –The queried name server is obliged to respond with the requested data or with an error stating that data of the requested type don't exist or that the domain name specified doesn't exist. –The name server can't just refer the querier to a different name server, because the query was recursive.

42 Recursive query: –If the queried name server isn't authoritative for the data requested, it will have to query other name servers to find the answer. –It could send recursive queries to those name servers, thereby obliging them to find the answer and return it. –it could send iterative queries and possibly be referred to other name servers "closer" to the domain name it's looking for. –Current implementations are polite and do the latter, following the referrals until an answer is found. –The recursive query should contain the whole query, instead of a shorter version or explicit query. Why Efficiency and the server may not existing –Be careful of the circular dependency

43 Iterative process: –In iterative resolution, a name server simply gives the best answer it already knows back to the querier. –No additional querying is required. –The queried name server consults its local data, looking for the data requested. If it doesn't find the data there, it makes its best attempt to give the querier data that will help it continue the resolution process. Usually these are the domain names and addresses of the closest known name servers.

44

45 Inverse mapping: –Start from IP address, and find out the labels –Use IP address as part of the domain label –Use the IP address in the reverse order since the first byte usually represents more information  in-addr.arpa –Many name servers do not support this any more

46

47 DNS port number –TCP and UDP port 53 –Most of the time we use UDP port –TCP is used for Requests with large size (longer than 512 bytes) Zone transfer

48 Resource records: –Store the domain name data –Can be of different types: A: address MX: mail exchanger NS: name server Etc –Wildcard DNS records

49 ISI.EDU. MX 10 VENERA.ISI.EDU. MX 10 VAXA.ISI.EDU. VENERA.ISI.EDU. A A VAXA.ISI.EDU. A A

50 The difference b/w domain and zone –This is important. The name server may know its zone instead of the whole domain –A zone consists of a collection of connected nodes served by an authoritative name server. –A single name server can host multiple zones –A zone contains the domain names in this domain, except for those in delegated subdemains –A domain contains more information than the name server would need.

51 Information defines a zone –Authoritative data for all nodes within the zone –Data that defines the top node of the zone –Data that describes delegated subzones –Data that allows access to name servers for subzones: avoid egg-chicken situation –The servers for a zone do not need to reside in a host in that domain –Zones are described by Resource Records

52 Domain server message format: –Can ask multiple questions in a single message (need to identify number of questions) –You need to identify the domain name, class (internet), and type –How to represent domain names: Multiple labels Each label with a length byte A length byte 0 identifies the end May also use a pointer (two bytes)

53 The query would look like: Header | OPCODE=SQUERY | Question | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A | Answer | | Authority | | Additional | |

54 The response would look like: Header | OPCODE=SQUERY, RESPONSE, AA | Question | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A | Answer | SRI-NIC.ARPA IN A | | IN A | Authority | | Additional | |

55

56 Security problems of DNS –Protocol based attacks: based on how DNS works –Server attacks: based on the bugs of the programs or machines running DNS

57

58 Protocol attacks: –DNS spoofing –DNS ID hacking –DNS cache poisoning Cache poisoning: –Map a domain to an attacker’s IP –Usually through related or unrelated data attacks

59 DNS spoofing: –Answer DNS queries intended to another server –May need to guess DNS request identification (16 bits) and source UDP port number

60 Unrelated data attack –The hacker asks the victim DNS for a non- existing name mapping to a server under its control. Use “recursive” request to hide itself –When the victim DNS asks the malicious server, provide unrelated information to poison the victim –Have been fixed now: forbid any unrelated data

61

62 Related data attack –The attack procedure is the same, but have to make the data related –Use MX, CNAME, and NS records of the same domain –These records do not provide real IP but just another domain –Can poison the cache of the victim –Have been fixed: rejecting any out of zone data

63 DNS ID hacking

64 If the attacker can eavesdrop on the packet: –Can easily find the ID and port number If not on the same network –Have to guess the ID and UDP port –Some DNS server uses continuous numbers for ID –How to really do it?

65 Server attack of DNS –Buffer overflow of the DNS software –DoS attacks About 33% DNS servers are spoofable Attack through zone transfer