Presentation is loading. Please wait.

Presentation is loading. Please wait.

SCSC 555 Frank Li.  Port scanning  Port-scanning tools  Ping sweeps 2.

Published byMaximillian Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "SCSC 555 Frank Li.  Port scanning  Port-scanning tools  Ping sweeps 2."— Presentation transcript:

1 SCSC 555 Frank Li

2  Port scanning  Port-scanning tools  Ping sweeps 2

3  Port Scanning ◦ Finds out which services a host computer offers ◦ Identifies vulnerabilities ◦ Scan all ports when testing, not just well-known ports  Open services can be used on attacks ◦ Identify a vulnerable port via scanning ◦ Then launch an exploit ◦ E.g. ? 3

4  Port scanning programs report: ◦ Open ports ◦ Closed ports ◦ Filtered ports ◦ Best-guess assessment of which OS is running Discussion: closed port vs. filtered port 4

5  SYN scan ◦ Aka. Stealthy scan  Connect scan ◦ Completes the three-way handshake  NULL scan ◦ Packet flags are turned off  XMAS scan ◦ FIN, PSH and URG flags are set 5

6  ACK scan ◦ Used to past a firewall  FIN scan ◦ Closed port responds with an RST packet  UDP scan ◦ Closed port responds with ICMP “Port Unreachable” message 6

7  Port scanning  Port-scanning tools  Ping sweeps 7

8  Nmap  Genlist  Zenmap  Unicornscan  Nessus 8

9  Nmap ("Network Mapper") ◦ An open source tool for network exploration and security auditing. ◦ commonly used for security audits many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime 9

10  Nmap can rapidly scan large networks, to determine: ◦ what hosts are available on the network, ◦ what services (application name and version) those hosts are offering, ◦ what operating systems (and OS versions) they are running, ◦ what type of packet filters/firewalls are in use, ◦ And dozens of other characteristics … 10

11 nmap -sS -P0 -O -T Sneaky -p 445 -D 64.233.169.99  Stealth scan (-sS) which does not complete the TCP connection. This is fairly fast and unobtrusive.  The -P0 flag tells nmap NOT to ping the IP which adds to stealth.  The -T is a timing flag that can be set from Sneaky to Insane and determines the speed of packet generation.  The -p flag specifies the port or a port range.  The -D flag allows you to specify a number of decoys. ◦ googlebot’s IP address is used as decopy to make nmap generate packets from your IP address and googlebots IP address. This has an effect of confusing the target. 11

12  Genlist is a program that returns a list of hosts that responding to ping probes. ◦ This list can be used to perform an scan of these machines using Nmap.  Example: 1.Generate list of live hosts and save it to a file called “list”: genlist -s 216.109.112.\* > list 2.Use Nmap to scan that list: nmap -v -iL list 12

13  Zenmap is the official Nmap Security Scanner GUI. ◦ a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application ◦ Make Nmap easy for beginners to use ◦ Also providing advanced features for experienced Nmap users. 13

14  Frequently used scans can be saved as profiles to make them easy to run repeatedly.  A command creator allows interactive creation of Nmap command lines.  Scan results can be saved in a searchable database and viewed later. 14

15 15

16 16

17  Results viewing ◦ arrange its display to show all ports on a host or all hosts running a particular service. ◦ The results of several scans may be combined together and viewed at once.  Comparison ◦ graphically show the differences between two scans. ◦ scans run on different days, scans of two different hosts, scans of the same hosts with different options, or any other combination.  Convenience ◦ keeps track of scan results until you choose to throw them away.  Repeatability ◦ command profiles make it easy to run the exact same scan more than once. 17

18  Unicornscan is a scalable port scanner ◦ developed in 2004 ◦ uses CPU specific instructions to track the packets per second (PPS) you specify as closely as possible.  E.g., From a single Pentium system, it is typical to be able to generate up to 25,000 PPS or more ◦ Ideal for conducting tests on large networks 18

19  UDP scan is optimized for fast scan ◦ UDP scanning is an unreliable method of discovering live system on a system. ◦ Scans 65,535 ports in three to seven seconds  Unicornscan can also handles port scanning using TCP, ICMP, and IP 19

20  Common Flag schemes: ◦ a SYN scan -mT ◦ an ACK scan -mTsA ◦ an Fin scan-mTsF ◦ a Null scan -mTs ◦ a nmap style Xmas scan -mTsFPU ◦ a scan with all options on -mTFSRPAUEC 20

21 # unicornscan -r200 -mU -I 192.168.0.0/24:53  Option Description: -r200 200 Packets Per Second -mU Scan Mode UDP -I Immediately display results to the screen as received :53 Port 53 21

22 # unicornscan -r500 -mT www.yahoo.com/29:80,443 www.yahoo.com/29:80,443  Option Description: -r500 500 Packets Per Second -mT Scan Mode TCP (TCP is default mode if not otherwise specified) 29:80,443 Ports 29 - 80 and 443 22

23  Nessus is capable of: ◦ high speed discovery, ◦ configuration auditing, ◦ asset profiling, ◦ sensitive data discovery and vulnerability analysis  Nessus uses a client/server technology ◦ Server is on a ny *NIX platform ◦ Client c an be UNIX or Windows ◦ Conducts testing from different locations 23

24  Nessus security plug-in is a security test program (script) that can be selected from the client interface. ◦ Nessus can update security checks plug-ins ◦ plug-ins can find vulnerabilities associated with identified services 24

25 25

26  Port scanning  Port-scanning tools  Ping sweeps 26

27  Ping sweeps identify which IP addresses belong to active hosts  Problems of Ping Sweep: ◦ Computers that are shut down cannot respond ◦ Networks may be configured to block ICMP Echo Requests ◦ Firewalls may filter out ICMP traffic 27

28  Ping uses the Internet Control Message Protocol (ICMP) ◦ send out ICMP requests (the ICMP ECHO_REQUEST) and then waits for a valid reply (an ICMP ECHO_RESPONSE) ◦ Tells you that the destination is reachable, and the route between your computer and another one (by using the -R option). 28

29  FPing (Fast Ping) ◦ similar to ping program, sends out ICMP Echo Request packets and reports on host reachability, packet loss, and round trip delay. ◦ Unlike ping program  fping has the ability to send out ICMP packets to multiple IP addresses simultaneously  fping is meant to be used in scripts and its output is easy to parse. 29

30  manually enter multiple IP addresses at a shell # fping -g 193.145.85.201 193.145.85.220 # fping -g 192.168.1.0/24  Input file with addresses # fping -f AddressFile 30

31 31

32  Interval between sending ping packet -i 30  The count of pings to send to each target -c 2  Number of retries -r 3  Amount of ping data to send -b 100  Etc. 32

33  Hping is command-line oriented TCP/IP packet assembler/analyzer ◦ Allows users to fragment and manipulate IP packets ◦ is used to bypass filtering devices ◦ supports TCP, UDP, ICMP and RAW-IP protocols 33

34  Crafting packets helps you obtain more information about a service ◦ Source IP address ◦ Destination IP address ◦ Flags: SYN, ACK, FIN … 34

35  Crafting TCP packets is the default behavior of HPING. ◦ By specifying the TCP flags, a destination port and a target IP address, one can easily construct TCP packets.  SYN scan or Stealth scan ◦ An open port is indicated by a SA return packet, closed ports by a RA ◦ E.g. 1 # hping -I eth0 -S 192.168.10.1 -p 80 35

36  A nice feature is the ++, which will increase the destination port in the packets by one. e.g. 2 # hping -I eth0 -S 192.168.10.1 -p ++79 | grep SA  All known NMAP scanning techniques can be easily reproduced 36

37  Idle scanning is a technique to port scan a remote system fully anonymous.  Three hosts in idle scanning: ◦ The Attacker runs two sessions of hping ◦ The Server is the machine to be scanned ◦ The Silent host is a machine that is not busy generating packets  has a predictable increase in the IP header IDENTIFICATION field. 37

38  A suitable silent host can be found by running the following hping probe. # hping -I eth0 -SA 192.168.10.1 HPING 192.168.10.1 (eth0 192.168.10.1): SA set, 40 headers + 0 data bytes len=46 ip=192.168.10.1 flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms len=46 ip=192.168.10.1 flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms len=46 ip=192.168.10.1 flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms... 38

39 39

40  The attacker runs a continuous probe against the silent host, and the attacker scans the server, spoofed with the IP address of the silent host. Step 2, a spoofed scan of the server by the attacker # hping -I eth0 -a 192.168.10.1 -S 192.168.10.33 - p ++20 HPING 192.168.10.33 (eth0 192.168.10.33): S set, 40 headers + 0 data bytes 40

41 Step 1, 4: a continuous probe from the attacker to the Silent host to monitor the IP IDENTIFICATION field: # hping -I eth0 -r -S 192.168.10.1 -p 2000 HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data bytes.. len=46 ip=192.168.10.1 flags=RA seq=86 ttl=255 id=+1 win=0 rtt=1.6 ms len=46 ip=192.168.10.1 flags=RA seq=87 ttl=255 id=+2 win=0 rtt=1.6 ms (port 21) len=46 ip=192.168.10.1 flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms len=46 ip=192.168.10.1 flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms (port 25) 41

42  Scenario 1: ◦ If the attacker scans an open port at the server with a SYN packet, the server will respond with a SYN/ACK packet to the silent host. ◦ The Silent host will react by sending a RESET packet to the server, and will increase the IP_ID by one ◦ The next probe the attacker sends will have the next IP_ID in return  2 units higher then the previous probe. 42

43  Scenario 2: ◦ If the attacker sends a SYN packet to a closed port of the server ◦ The server sends a RST to the silent host, which does not imply sending any packet from the silent host.  IP_ID is not increased, since this RST will be discarded by the silent host. 43

44  Example: against an IIS 5.0 W2Ksp4 Professional machine. ◦ To avoid sending a TCP reset packet from the attacking machine, use a spoofed IP address with the -a switch. ◦ To increase the pps rate, use the -u switch to indicate the interval  E.g., -i u1000, means every 1000 microseconds. # hping -I eth0 -a 192.168.10.99 -S 192.168.10.33 -p 80 -i u1000 44

45 -i --interval Wait the specified number of seconds or micro seconds between sending each packet. --interval X set wait to X seconds, --interval uX set wait to X micro seconds. The default is to wait one second between each packet. Using hping2 to transfer files tune this option is really important in order to increase transfer rate. --fast Alias for -i u10000. Hping will send 10 packets for second. --faster Alias for -i u1. Faster then --fast ;) (but not as fast as your computer can send packets due to the signal-driven design). --flood Sent packets as fast as possible, without taking care to show incoming replies. This is ways faster than to specify the -i u0 option. 45

Download ppt "SCSC 555 Frank Li.  Port scanning  Port-scanning tools  Ping sweeps 2."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS.

Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19

Similar presentations

Ads by Google