Presentation is loading. Please wait.

Presentation is loading. Please wait.

DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation.

Published byRoxanne Harris Modified over 9 years ago

Similar presentations

Presentation on theme: "DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation."— Presentation transcript:

1 DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation

2 About This Presentation  Assume basics –Understand IP addressing –Understand basic system administration  Tools –Where to find them –Basic usage  A “Network” point of view

3 About Me  NMRC: http://www.nmrc.org/http://www.nmrc.org/  BindView: http://razor.bindview.com/http://razor.bindview.com/

4 Know Your Target  Public information  Network enumeration  Network mapping

5 Public Information  Public records  WHOIS  DNS  Public postings

6 Network Enumeration  Goals of network enumeration  ICMP  Scanning  TCP Fingerprinting  Additional Probes

7 ICMP  Sweeping a network with Echo  Typical alternates to ping –Timestamp –Info Request  Advanced ICMP enumeration –Host or port unreachable with illegal header length

8 Scanning  Why scan?  Nmap – defacto standard –Ping sweeps –Port scanning –Additional features

9 TCP Fingerprinting  Several different type of packets sent  Various responses come back  Differences can determine OS of remote system  Using just ICMP is possible

10 Addition Probes  Possible security devices  Sweep for promiscuous devices

11 Network Mapping  Determine network layout  Traceroute  Firewalk

12 Bypassing the Firewall  Tools –Firewalk –Nmap  Common ports  State table manipulation

13 Avoiding Intrusion Detection  Manipulation of “detected” data  Use of fragmented packets  Triggering false positive, or distraction

14 Connecting the Dots  View each step as a small part of a big picture  Each step is important  Data could be stored for later use

15 Example Intrusion  WHOIS –DNS server names  Traceroute  DNS zone dump  Host enumeration  Public systems  Initial port scanning

16 WHOIS # whois target-company.com@internic.net Whois Server Version 1.1 Domain names in the.com,.net, and.org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: TARGET-COMPANY.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: www.networksolutions.com Name Server: NS1.TARGET-COMPANY.COM Name Server: NS2.TARGET-COMPANY.COM Updated Date: 06-dec-1999 >>> Last update of whois database: Mon, 20 Mar 00 03:35:14 EST <<< The Registry database contains ONLY.COM,.NET,.ORG,.EDU domains and Registrars.

17 Traceroute # traceroute ns1.target-company.com traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets 1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms 2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms 3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms 4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms 5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms 6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms 7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms 8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms 17.173 ms 9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms 248.838 ms 10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms 11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms 12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306 ms 17.248 ms 13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms

18 Traceroute # traceroute ns2.target-company.com traceroute to ns2.target-company.com (xxx.xx.x.x), 30 hops max, 40 byte packets 1 fw-gw (209.197.192.1) 1.770 ms 2.993 ms 0.892 ms 2 s1-0-17-access (209.197.224.73) 15.440 ms 13.571 ms s1-0-1-access (209.197.224.69) 4.896 ms 3 dallas.tx.core1.fastlane.net (209.197.224.1) 3.929 ms 6.251 ms 15.821 ms 4 FE-0.core2.fastlane.net (209.197.224.66) 20.674 ms 15.367 ms 16.170 ms 5 hs-9-0.a09.dllstx01.us.ra.verio.net (204.214.10.113) 5.514 ms 14.367 ms 8.203 ms 6 ge-5-0-0.a10.dllstx01.us.ra.verio.net (199.1.141.10) 8.019 ms 20.183 ms 1 6.466 ms 7 g6-0.dfw2.verio.net (129.250.31.49) 16.513 ms 17.351 ms 6.854 ms 8 core4-atm-uni0-0-0.Dallas.cw.net (204.70.10.77) 24.335 ms 16.087 ms 17.60 5 ms 9 core2-fddi-0.Dallas.cw.net (204.70.114.49) 6.875 ms 14.039 ms 14.483 ms 10 border6-fddi-0.Dallas.cw.net (204.70.114.66) 146.605 ms 21.045 ms 110.419 ms 11 target-company-inet.Dallas.cw.net (204.70.xxx.xxx) 83.331 ms 34.530 ms 21.363 ms 12 ns1.target-company.com (xxx.xx.x.x) 18.105 ms 13.290 ms 29.042 ms

19 DNS Zone Dump # nslookup Default Server: vortex.fastlane.net Address: 209.197.192.7 > server ns1.target-company.com Default Server: ns1.target-company.com Address: xxx.xx.xx.xx > ls -a TARGET-COMPANY.COM > dump.txt [ns1.target-company.com] ################################################################################ ###################################################################### Received 40773 answers (0 records). >

20 Host Enumeration #./icmpenum -i 2 -c xxx.xx.218.0 xxx.xx.218.23 is up xxx.xx.218.26 is up xxx.xx.218.52 is up xxx.xx.218.53 is up xxx.xx.218.58 is up xxx.xx.218.63 is up xxx.xx.218.82 is up xxx.xx.218.90 is up xxx.xx.218.92 is up xxx.xx.218.96 is up xxx.xx.218.118 is up xxx.xx.218.123 is up xxx.xx.218.126 is up xxx.xx.218.130 is up xxx.xx.218.187 is up xxx.xx.218.189 is up xxx.xx.218.215 is up xxx.xx.218.253 is up

21 Public Systems  www.target-system.com www.target-system.com –www2, www3  ftp.target-system.com ftp.target-system.com  mail.target-system.com

22 Scanning # nmap -O -T Polite -n xxx.xx.17.11 Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on (xxx.xx.17.11): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 79 open tcp finger 110 open tcp pop-3 113 open tcp auth 143 open tcp imap2 TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Linux 2.0.35-37 Nmap run completed -- 1 IP address (1 host up) scanned in 625 seconds # nmap -O xxx.xx.17.11 Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ ) No ports open for host (xxx.xx.17.11) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

23 More Scanning # nmap -F -sS -v -v -n firewall.target-system.com Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host (xxx.xx.49.17) appears to be up... good. Initiating SYN half-open stealth scan against (xxx.xx.49.17) Adding TCP port 189 (state Firewalled). The SYN scan took 270 seconds to scan 1047 ports. Interesting ports on (xxx.xx.49.17): Port State Protocol Service 139 filtered tcp netbios-ssn 161 filtered tcp snmp 189 filtered tcp qft 256 filtered tcp rap 257 filtered tcp set 258 filtered tcp yak-chat Nmap run completed -- 1 IP address (1 host up) scanned in 273 seconds

24 Network Mapping cw swb Internet Routers

25 Network Mapping cw swb Internet Routers

26 Network Mapping Firewall DMZ cw swb VPN Internet Routers

27 Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

28 Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

29 Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers

30 Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers Linux 2.0.38 xxx.xx.48.2 AIX 4.2.1 xxx.xx.48.1 Checkpoint Firewall-1 Solaris 2.7 xxx.xx.49.17 Checkpoint Firewall-1 Nortel VPN xxx.xx.22. 7 Cisco 7206 204.70.xxx.xxx Nortel CVX1800 151.164.x.xxx IDS?

31 Basic Distributed Attack Models  Attacks that do not require direct observation of the results  Attacks that require the attacker to directly observe the results

32 Basic Model ServerAgent Client Issue commands Processes commands to agents Carries out commands

33 More Advanced Model TargetAttacker Forged ICMP Timestamp Requests ICMP Timestamp Replies Sniffed Replies

34 Even More Advanced Model Target FirewallFirewall

35 Even More Advanced Model Target FirewallFirewall Upstream Host

36 Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Master Node

37 Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Attacks or Probes Master Node

38 Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

39 Even More Advanced Model Target Attack Node Sniffed Replies Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

40 Even More Advanced Model Target Attack Node Sniffed Replies Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

41 (Mostly) Free Stuff  HackerShield RapidFire Update 208 –With SANS Top Ten checks, including comprehensive CGI scanner –http://www.bindview.com/products/hackershield/index.html  VLAD the Scanner –Freeware open-source security scanner, including same CGI checks as HackerShield –Focuses only on SANS Top Ten –http://razor.bindview.com/tools/index.shtml  Despoof –Detects possible spoofed packets through active queries against suspected spoofed IP address –http://razor.bindview.com/tools/index.shtml

42 Questions, etc.  Thanks to: –Ofin Arkin –Donald McLachlan  For followup: –http://www.nmrc.org/http://www.nmrc.org/ –http://razor.bindview.com/http://razor.bindview.com/ –thegnome@nmrc.orgthegnome@nmrc.org –thegnome@razor.bindview.comthegnome@razor.bindview.com

Download ppt "DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation."

Similar presentations

Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,

Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,
Scanning This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Scanning This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1 Modul 2 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Politeknik Elektronika Negeri Surabaya ITS - Surabaya.

1 Modul 2 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Politeknik Elektronika Negeri Surabaya ITS - Surabaya.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Stealth Network Strategies: Offensive and Defensive Mark Loveless RAZOR Security BindView Corporation.

Stealth Network Strategies: Offensive and Defensive Mark Loveless RAZOR Security BindView Corporation.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Deff Arnaldy 0818 0296 4763 1.

Deff Arnaldy
Black Hat Europe 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,

Black Hat Europe 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,

Similar presentations

Ads by Google