Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks Fall 2009.

Published byDamian Woods Modified over 7 years ago

Similar presentations

Presentation on theme: "Networks Fall 2009."— Presentation transcript:

1 Networks Fall 2009

2 Computer Crimes Social Engineering Network Scanning
Review – Last Lecture Computer Crimes Social Engineering Network Scanning

3 Review - Social Engineering
The most common type of attack Basically: lying to someone to gain information on how to penetrate the network or systems Preys upon basic tendency in a company to trust other company personnel and believe what they are told over a phone or No detailed technical skills required - but must be creditable, knowledgeable of the organization and of methods and procedures to gain access | Easiest place to attack: users and support desk

4 Review - Footprinting Before a hacker attempts to gain access to a system, time must be spent gathering information about the target. This process is known as footprinting it is a critical step in subverting the security of a target system Footprinting is the hacking equivalent to casing a potential robbery location. Systematic footprinting allows the hacker to create a complete profile of the target system including information about the domain, network blocks, IP addresses exposed on the Internet, and system architecture. Once the profile is known, a hacker will be able to focus on specific machines and ports to gain access to the system.

5 Outline Computer Crimes Ping Sweep Port Scan

6 Computer Crimes

7 Crimes 1 Traci Southerland has been sentenced to 13 years in prison for stealing personal information from the Hamilton County (OH) Clerk of Courts' website and using it to commit identity fraud. Southerland and seven others used the stolen information to commit credit card and check fraud, netting them US$500,000. The county clerk's website now blocks access to documents that hold personally identifiable information.

8 Crimes 2 Six people have been indicted on fraud charges for their involvement in a phishing scam that tried to gather credit card and bank account numbers from AOL users. The individuals allegedly gathered thousands of AOL addresses and sent maliciously crafted ecards that downloaded software that prevented the users from logging on to AOL without providing credit card or bank account information. The cyber thieves allegedly used the stolen financial account information to buy computers, gift cards and gaming consoles. Three of the men have already pleaded guilty and face between two and nine-and-a-half years in prison when they are sentenced in December. The other three people have not yet been arraigned.

9 Crimes 3 A contract worker at the Stevens Hospital emergency room in Edmonds, Washington stole patients' credit card numbers and gave the information to her brother who used it to buy thousands of dollars worth of goods over the Internet. Yvon Hennings pleaded guilty to conspiracy to commit access device fraud and wire fraud. She will be sentenced in November and her brother's trial is slated to begin in January 2007. The data breach affected patients who visited the emergency room between December 2003 and January 2005.

10 Ping Sweep

11 Ping Sweeping The first step in scanning is to determine which IP addresses in the network block are machines that are live hosts. This process can be done using the Internet Control Message Protocol (ICMP). ICMP was designed as a simple protocol to report network error conditions and supply basic network information. Unfortunately, ICMP can be used by hackers for network reconnaissance. ICMP is a particularly good protocol for identifying active IP addresses. Unlike the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), ICMP does not connect to a particular service on a given host, but rather attempts to contact the host operating system. Knowing the IP address of a host is enough to determine if the host is alive simply send it an ICMP echo request, a ping, and if it responds, you know the machine is alive. using ICMP to determine live hosts on a network is often termed ping sweeping

12 Example The whois on plu found the network IP address range from to How many of those addresses are actually used? Find out by sending a ping to each one ping ping ping This could take a lot of time . . .

13 Ping Run Example of a successful ping:
Example of an unsuccessful ping:

14 Use nmap The ping sweep can be automated using nmap The command is: This is a particularly noisy scan that can be detected by an IDS that looks for a threshold amount of ICMP echo requests originating from the same location over a given amount of time. Most IDS.s are capable of detecting this type of scan, so it is not often used in practice nmap -sP /29

15 Example Run Using NMapWin (available from 3 systems at PLU were up and running:

16 Work Around 1 If a hacker can limit the amount of echo requests issued, it may be possible to not trigger an IDS alarm because the threshold amount of ICMP requests will not be exceeded. By issuing ICMP echo requests to known broadcast addresses, the number of pings can be kept to a minimum. For example, addresses with 0 and 255 for the last byte are reserved and are typically used as broadcast addresses to send a message to all addresses in the network. Therefore, a clever hacker will send ICMP echo requests to the 0 and 255 addresses for a given block and potentially get back 254 echo replies. This is much more efficient and stealthy than a scan that sends individual requests to all 254 potentially active machines

17 Workaround 2 Another way to avoid easy detection is to use a non-echo ICMP request Such as a timestamp request Or a address mask request A useful tool is icmpush which will set up and set an icmp request For example: RESULT: The site is on-line icmpush -tstamp kenny.sys-security.com -> 13:48:07

18 Port Scan

19 Progress From the whois and the ping sweep we know that plu has at least 3 hosts available: shemp.cs.plu.edu ( ) antfarm.cs.plu.edu ( ) mem105cam.cs.plu.edu ( ) Now we want to find out what services are available in the form of which ports are open Remember: ports represent common services on a system such as ftp on port 21 and the web on port 80

20 Port Scan Methods Port scanning can be subdivided in three groups: horizontal, vertical, and block scans A horizontal scan is a scan that queries a specific port on numerous machines. This is used when an exploit is known for a particular service and the hacker wants to know what machines are running this vulnerable service. An example would be scanning for the notoriously vulnerable ftp on port 21. a vertical scan will be used in which all the ports on a given host are queried. For example, if a hacker wants to alter the content of the CS web site, all ports on the web server would be scanned. a block scan is a combination of a vertical and horizontal scan. A block scan can determine the same information as an ICMP ping sweep (i.e., what machines are active in the network block), with the added benefit of determining the services running on the active hosts.

21 Port Scan Types No matter which method is selected there are several ways to go about scanning ports on a system Four common methods are: TCP SYN scan Stealth scan FTP bounce scan UDP scan

22 TCP/SYN Scan 1 To establish a TCP connection between a source and a system port, two parties execute a 3-way handshake SYN Packet 1 SYN/ACK 2 OK 3 Of course, the ACK is only returned if the port is open

23 TCP/SYN Scan 2 A connectionless SYN scan can be performed using nmap –sS. This scan sends a message with a SYN in the TCP header but does not reply to the host’s return message. Because the client never replies to the host’s return message, a full connection is never established and the half connection will not be logged. Result If the host port is open, a message with the SYN and ACK flags will be returned. If the host port is closed, a message with the RESET flag will be returned. If a host is contacted that is not alive, a border router will likely respond with a host unreachable message. If the network is configured to not respond with ICMP host unreachable messages, there will be no reply when attempting to scan an inactive host. If the port is firewalled, there will also be no response. Thus, the hacker must attempt to differentiate between an inactive host and a firewalled port based on other data obtained in the scan

24 TCP/SYN Scan 3 Results of a SYN scan of shemp:

25 Stealth Scan Filtering and other security systems such as firewalls will usually pick up on SYN packets sent to sensitive ports Programs are also available to log half-open SYN scan attempts However, probe packets with strange TCP flags set can sometimes pass through filters undetected A stealth scan uses an unusual flag combination which only closed ports respond to with a reset, these include: A FIN probe with the FIN TCP flag set A XMAS probe with all the flags set A NULL probe with no flags set An ACK probe

26 XMAS Scan Example Notice how many ports are open
Result of an XMAS scan of shemp: Notice how many ports are open

27 ftp Bounce Scan 1 An known problem in older ftp servers involves:
An attacker connects to an FTP server, which has a world writable directory, and establishes a control communication connection. The attacker can then ask the FTP server to initiate an active server data transfer process and send a file anywhere on the Internet, presumably to a user data transfer process. This can be exploited to scan behind a firewall connect to an FTP server behind a firewall then try to scan ports that the firewall blocks. If a directory is writable for the account you are using on the FTP server, you can also send data to the ports you find open

28 ftp Bounce Scan 2 The process looks like: Set up a legal ftp session
Attacker Target ftp Server Set up a legal ftp session Send a PORT command to the ftp server telling it to connect a specific port of the target machine The port is open Follow that with a LIST command There will be one of two responses: 150 Opening ASCII mode data connection for file list 226 Transfer complete The port is closed 425 Can’t build data connection: Connection refused

29 UDP Scan UDP port scanning is extremely slow.
Nmap will try to send a 0-byte datagram and mark the port as open unless a ICMP Destination Unreachable packet is received back. Does not require root privileges to scan.

Download ppt "Networks Fall 2009."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Deff Arnaldy 0818 0296 4763 1.

Deff Arnaldy

Similar presentations

Ads by Google