Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Gathering

Published byLee Wheeler Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Gathering"— Presentation transcript:

1 Information Gathering
Dr. Neminath Hubballi Indian Institute of Technology Indore

2 Overview What is information gathering Port Scanning Network Mapping
Operating System Fingerprinting Collecting Information from Public Databases Social Engineering Elicitation Indian Institute of Technology Indore

3 What is It War is 90 % Information - Napoleon Bonaparte
It is about understanding the target Traditional war v/s Computer Crime Different Techniques Challenge Being invisible Gather maximum information Indian Institute of Technology Indore

4 Port Scanning A port is a logical entity to which a running server application or service is bound Port number is a 16 bit number Acts as a channel through which data is exchanged between device and a processor Often it identifies a protocol For example port 80 is used by HTTP Port numbers are of types Reserved - few beginning port numbers General - remaining port numbers Can be of TCP UDP Indian Institute of Technology Indore

5 Why Scan Ports Discover running services
Even for Security audit: Why are certain ports open when they are not supposed to i.e., why many port scanners are available freely Normally a target host is chosen for scanning Target is a single port on a host Scan is a set of connection attempts from a single source to a set of targets A port scanner is a software which allows to scan set of ports Indian Institute of Technology Indore

6 Port Scanning If an application is running on a port it accepts external communications If you talk it will respond Positively Negatively Simple way to know whether a port is open or not is to send a packet and wait for response What packet to send Depends Indian Institute of Technology Indore

7 Port Scanning Scanning means look at one or more ports and discover which are open How By sending packets Variety TCP or UDP What type of options or flags ex. ACK, SYN, URG etc. At what rate fast, slow Contiguous, random, follow some order/logic Indian Institute of Technology Indore

8 Types of Port Scans By address range Timing Source
Vertical scan: Scan same port on different hosts Horizontal scan: Scan several ports on same host Block scan: Is a combination of above two Timing Periodic scan: Scan at regular intervals Intensive scan: Scan a particular set of ports and hosts Random scan: No particular order Stealth scan: Be evasive Source Single source Distributed Coordinated Indian Institute of Technology Indore

9 Socket based Connections
bind() listen() read() close() connect() write() blocks until server receives a connect request from client data Server Client accept() connect negotiation Socket calls for connection-oriented communication Indian Institute of Technology Indore

10 State of Port Open: Listening and Accepts connection
Close: Not listening or not at all there Filtered: You can not reach there Firewall does not allow to enter Status unknown Indian Institute of Technology Indore

11 TCP Scan Types SYN Scan FIN Scan ACK Scan
TCP connection is a 3-way handshake Send a TCP SYN packet to a target If SYN-ACK arrives port is open and tear down the connection with RST If RST is received port is closed FIN Scan Send a TCP FIN packet to a target If port is closed a RST will arrive If port is open no response ACK Scan Send a packet with ACK flag set RST packet received port is closed No reply indicates port is filtered by firewall Indian Institute of Technology Indore

12 TCP Scan Types Connect Scan Reverse identd Scan Xmas Tree Scan
Unix systems use connect() system call to establish a connection with a peer process If connect() succeeds a connection is established If connect() fails a connection is not established At the end of this scan a list of ports to which connection can be established are listed It is easy to detect as a full connection is established Reverse identd Scan Xmas Tree Scan Send a packet with FIN, URG, PUSH flags set Indian Institute of Technology Indore

13 TCP Scan Types Null Scan Send a packet without any flag set
If port is closed RST packet is received Indian Institute of Technology Indore

14 TCP Scan Types Idle Scan Very stealth scanning technique
A zombie is identified through which packets are sent Thus packets are not traced back to scanning host Works by exploiting ”predictable IP fragmentation ID” sequence generation on the zombie host Check IPID on zombie and send a spoofed packet to victim IF SYN/ACK packet is received port is open otherwise port is closed Indian Institute of Technology Indore

15 UDP Scan Not many varieties Send a UDP packet and wait
Difficult to ascertain No response if port is open but no responses does not indicate an open port in target If port is closed ICMP_PORT_UNREACHABLE packet will arrive Only closed can be determined Open ports can not be detected correctly Many operating systems limit the number of ICMP_PORT_UNREACHABLE packets nmap -sU Indian Institute of Technology Indore

16 ICMP Scan Ping Scan Send a ICMP ECHO REQUEST packet
If a ICMP ECHO RESPONSE is received host is up Otherwise it is down Indian Institute of Technology Indore

17 IP Scan Determine whether IP protocols are supported or not
Send IP packet without any additional header and wait for response If ICMP_PORT_UNRECHABLE packet is received IP protocol is not supported Otherwise IP protocol is supported Today virtually every machine supports IP protocol There are some OS (HP-UX, AIX, Digital UNIX systems do not send ICMP_PORT_UNREACHABLE packet [bash]# nmap -sO Indian Institute of Technology Indore

18 Well-known Ports UDP Port 7: Echo Service TCP Port 23: Telnet
Send something on this port system echo it back A historical attack exploited a weakness of oversized packets (bigger than bytes) A variation of same attack was to send fragmented packets accumulating to greater than bytes TCP Port 23: Telnet Used for remote login Acts as a terminal emulator Historically many buffer overflows found in telnet Indian Institute of Technology Indore

19 Well-Known Ports TCP Port 11: Systat TCP Port 15: Netstat
Display status of system Gives an idea to hackers about Users of system Other services running TCP Port 15: Netstat Display network connection system Protocol FTP Port 20, 21: FTP Used to transfer files between systems Need FTP server and a client Indian Institute of Technology Indore

20 Well-Known Ports TCP Port 25: SMTP Email service
Listen for incoming messages and copy to appropriate mailboxes Common vulnerability Mail bombing Spamming Denial of service attacks Indian Institute of Technology Indore

21 Well-Known Ports TCP Port 43: Whois TCP/UDP Port 80: Http
Provides directory service Some sites maintain information about Users Departments Services TCP/UDP Port 80: Http Protocol for worldwide web Stateless protocol When URL is entered in web browser it is converted into a HTTP request and it is sent Indian Institute of Technology Indore

22 Port Scanning Tools Nmap: An open source tool Netcat: Strobe:
Popular to the extent of being a de-facto name for port scanner More than a just port scanner Available for both Linux and Windows platforms Commands nmap -sT Full TCP connection scan nmap -sS TCP SYN scan nmap -sP Ping scan nmap -PT Ping scan with TCP packet nmap -sF TCP FIN scan nmap -sX xmasstree options nmap –sN Null scan turn off many flags Netcat: Strobe: Indian Institute of Technology Indore

23 Port Scanning Tools: Super Scanner
Different scanning options available. Much similar to nmap. Host name can be resolved. Timeout period can be set, i.e., duration to wait before declaring the host as not up. Trace route options also available. Indian Institute of Technology Indore

24 Port Scanning Tools: Super Scanner
Indian Institute of Technology Indore

25 Port Scanning Tools: Super Scanner
Indian Institute of Technology Indore

26 Defense Mechanisms Firewall Configuration
Drop packets for closed ports Only repeated scan attempts reveal to attackers that port is filtered Do not trust source port values – stateful firewalls will remember Most IDS can detect port scans Check IDS logs routinely Indian Institute of Technology Indore

27 Network Mapping Identifying the hosts in a target network
Discovering IP addresses of hosts Build a view of network entities Where is printer Where is web server Where is mail server Basic mapping tool Ping Nmap is also a mapper Indian Institute of Technology Indore

28 Port Scanning Tools: Pinger
Pinger allows to show the network using animated graphic icons. It generates ping messages to all devices in parallel. Graphically shows the active machines in the network. Indian Institute of Technology Indore Indian Institute of Technology Guwahati 28

29 Port Scanning Tools: Pinger
Indian Institute of Technology Indore

30 Operating System Fingerprinting
Detection of Operating system running on the target machine. Is possible since different operating systems have different response techniques for certain kind of packets. The response obtained from the target machine is compared with the stored signature. Often hosts themselves announce their details in a header or banner. Indian Institute of Technology Indore

31 Operating System Fingerprinting
There are two ways of OS fingerprinting as Active Passive Active fingerprinting techniques send a series of carefully crafted packets and analyze the response and match it with a signature to determine the OS. Following can be used for active detection FIN Probing ICMP Error Quoting TCP Timestamp Fragmentation Handling Indian Institute of Technology Indore 31

32 Collecting Information from Public Databases
Whois databases for IP addresses Indian Institute of Technology Indore

33 Whois Database IP ranges of countries are specific
ARIN: American Registry of Internet Numbers- Database of IP addresses in US RIPE- Europe APNIC- Asia Why do we need such a database It helps in traceback Inform the IT incharge of the source network of attack Indian Institute of Technology Indore

Download ppt "Information Gathering"

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.

Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation.

1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.

Similar presentations

Ads by Google