Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.
-
Upload
damon-page -
Category
Documents
-
view
217 -
download
0
Transcript of Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.
![Page 1: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/1.jpg)
Chapter 2Chapter 2
ScanningScanning
Last modified 2-2-11
![Page 2: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/2.jpg)
Determining If The System Is Alive Determining If The System Is Alive
![Page 3: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/3.jpg)
Determining If The System Is Alive Determining If The System Is Alive
Network Ping SweepsNetwork Ping Sweeps– Ping is traditionally used to send ICMP ECHO Ping is traditionally used to send ICMP ECHO
(Type 8) packets to a target system(Type 8) packets to a target system– Response is ICMP ECHO_REPLY (Type 0) Response is ICMP ECHO_REPLY (Type 0)
indicating the target system is alive indicating the target system is alive – Traffic can be ICMP, ARP, TCP, or UDPTraffic can be ICMP, ARP, TCP, or UDP
![Page 4: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/4.jpg)
ARP Host Discovery
Demo: Cain
![Page 5: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/5.jpg)
ARP Host Discovery
![Page 6: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/6.jpg)
ARP Scan
Advantages – Operates at layer 2– A firewall will not conceal a device from an
ARP scan
Disadvantage– Must be on target’s network segment– Cannot scan through routers
![Page 7: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/7.jpg)
ARP Scanning Tools
arp-scan– Linux command-line tool
Nmap-PR to do ARP scan-sn to skip host discovery
Cain– Sniffer tab– Enable sniffer– Click +
![Page 8: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/8.jpg)
Demo:Nmap
![Page 9: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/9.jpg)
ICMP Packet TypesICMP Packet Types
Message Type: 0 - Echo ReplyMessage Type: 0 - Echo ReplyMessage Type: 3 - Destination UnreachableMessage Type: 3 - Destination UnreachableMessage Type: 4 - Source QuenchMessage Type: 4 - Source QuenchMessage Type: 5 - RedirectMessage Type: 5 - RedirectMessage Type: 8 – Echo RequestMessage Type: 8 – Echo RequestMessage Type: 11 - Time ExceededMessage Type: 11 - Time ExceededMessage Type: 12 - Parameter ProblemMessage Type: 12 - Parameter ProblemMessage Type: 13 - TimestampMessage Type: 13 - TimestampMessage Type: 14 - Timestamp ReplyMessage Type: 14 - Timestamp ReplyMessage Type: 15 - Information RequestMessage Type: 15 - Information RequestMessage Type: 16 - Information ReplyMessage Type: 16 - Information ReplyMessage Type: 17 – Address Mask RequestMessage Type: 17 – Address Mask RequestMessage Type: 18 – Address Mask ReplyMessage Type: 18 – Address Mask Reply
![Page 10: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/10.jpg)
ICMP Queries ICMP Queries
icmpquery uses ICMP type 13 icmpquery uses ICMP type 13 (TIMESTAMP) to find the system time, (TIMESTAMP) to find the system time, which shows its timezonewhich shows its timezone
ICMP type 17 (ADDRESS MASK ICMP type 17 (ADDRESS MASK REQUEST) shows the subnet maskREQUEST) shows the subnet mask– Link Ch 2nLink Ch 2n
![Page 11: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/11.jpg)
Network Discovery Tools
![Page 12: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/12.jpg)
Nmap ICMP Options
![Page 13: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/13.jpg)
nping (Included with Nmap)
![Page 14: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/14.jpg)
SuperScanSuperScan
Windows Windows freewarefreewareNot so fast Not so fast anymoreanymoreDoes PING Does PING scanning, using scanning, using several types of several types of ICMP packetsICMP packetsAlso does port Also does port scanning, banner scanning, banner grabbing, whois, grabbing, whois, and enumerationand enumeration
![Page 15: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/15.jpg)
Unix Ping Detection ToolsUnix Ping Detection Tools
ScanlogdScanlogd
CourtneyCourtney
IpplIppl
ProtologProtolog
![Page 16: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/16.jpg)
ICMP BlockingICMP Blocking
ICMP is often blocked these daysICMP is often blocked these days– Blocked by default in Win XP SP2, Win 2003 Blocked by default in Win XP SP2, Win 2003
SP 1, and VistaSP 1, and Vista
If ICMP is blocked, use port scanningIf ICMP is blocked, use port scanning– Slower than ping sweepingSlower than ping sweeping
SuperScan for WindowsSuperScan for Windows
Nmap for Linux, Unix, or WindowsNmap for Linux, Unix, or Windows
Hping2 for Unix (can fragment packets)Hping2 for Unix (can fragment packets)
![Page 17: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/17.jpg)
Ping Sweeps Countermeasures Ping Sweeps Countermeasures
Detecting Ping SweepsDetecting Ping Sweeps– Network-based Intrusion Detection Systems Network-based Intrusion Detection Systems
like Snort detect ping sweepslike Snort detect ping sweeps– Ping scans will be in the host logsPing scans will be in the host logs– Firewalls can detect ping scansFirewalls can detect ping scans
![Page 18: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/18.jpg)
Blocking ICMPBlocking ICMP
Routers may require some ICMP packets, Routers may require some ICMP packets, but not all typesbut not all types
Safest procedure would be to allow ICMP Safest procedure would be to allow ICMP only from your ISP, and only to public only from your ISP, and only to public servers on your DMZservers on your DMZ
![Page 19: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/19.jpg)
Other ICMP ThreatsOther ICMP Threats
ICMP can be used for a Denial of Service ICMP can be used for a Denial of Service attackattack
ICMP can be used as a covert channel ICMP can be used as a covert channel with Lokiwith Loki– Allowing unauthorized data transferAllowing unauthorized data transfer– Such as control signals for a back-door trojanSuch as control signals for a back-door trojan– Links Ch 2l, Ch 2mLinks Ch 2l, Ch 2m
![Page 20: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/20.jpg)
Determining Which Services Determining Which Services are Running or Listeningare Running or Listening
![Page 21: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/21.jpg)
2121
Normal TCP HandshakeNormal TCP Handshake
ClientClient SYN SYN ServerServer
ClientClient SYN/ACK SYN/ACK ServerServer
ClientClient ACKACK ServerServer
After this, you are ready to send dataAfter this, you are ready to send data
![Page 22: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/22.jpg)
2222
SYN Port ScanSYN Port ScanClientClient SYN SYN ServerServer
ClientClient SYN/ACK SYN/ACK ServerServer
ClientClient RSTRST ServerServer
The server is ready, but the client decided The server is ready, but the client decided not to complete the handshakenot to complete the handshake
![Page 23: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/23.jpg)
2323
Types of Port ScansTypes of Port Scans
SYN scanSYN scan– Stealthy scan, because session handshakes are Stealthy scan, because session handshakes are
never completednever completed– That keeps it out of some log filesThat keeps it out of some log files– Three statesThree states
ClosedClosed
OpenOpen
FilteredFiltered
![Page 24: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/24.jpg)
2424
Types of Port ScansTypes of Port Scans
Connect scanConnect scan– Completes the three-way handshakeCompletes the three-way handshake– Not stealthy--appears in log filesNot stealthy--appears in log files– Three statesThree states
ClosedClosed
OpenOpen
FilteredFiltered
![Page 25: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/25.jpg)
Other Scan TypesOther Scan Types
TCP FIN scan TCP FIN scan
TCP Xmas Tree scan (FIN, URG, and TCP Xmas Tree scan (FIN, URG, and PUSH)PUSH)
TCP Null scan TCP Null scan – Handled differently by Linux and WindowsHandled differently by Linux and Windows
TCP ACK scan TCP ACK scan – Returns RST unless the port is filteredReturns RST unless the port is filtered
![Page 26: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/26.jpg)
UDP ScanningUDP Scanning
No handshake, so less useful than TCP No handshake, so less useful than TCP scansscans
Much more powerful in newer versions of Much more powerful in newer versions of NmapNmap
Sends valid UDP requests to well-known Sends valid UDP requests to well-known portsports– Send a DNS query to port 53, etc.Send a DNS query to port 53, etc.
Response indicates open UDP portResponse indicates open UDP port
![Page 27: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/27.jpg)
TCP HeaderTCP Header
WINDOWWINDOW indicates the amount of data that may indicates the amount of data that may be sent before an acknowledgement is requiredbe sent before an acknowledgement is required
![Page 28: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/28.jpg)
TCP Window ScanTCP Window Scan
Sends ACK packetsSends ACK packets– Both open and closed ports reply with RST Both open and closed ports reply with RST
packetspackets– But on some operating systems, the But on some operating systems, the
WINDOW size in the TCP header is non-zero WINDOW size in the TCP header is non-zero for open ports, because the listening service for open ports, because the listening service does sometimes send datadoes sometimes send data
– Link Ch 2xLink Ch 2x
![Page 29: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/29.jpg)
RPC ScanRPC Scan
SunRPC (Sun Remote Procedure Call) is SunRPC (Sun Remote Procedure Call) is a common UNIX protocol used to a common UNIX protocol used to implement many services including NFS implement many services including NFS (Network File System)(Network File System)
The RPC scan works on Unix systems, The RPC scan works on Unix systems, including Solarisincluding Solaris
Enumerates RPC services, which are rich Enumerates RPC services, which are rich in exploitable security holesin exploitable security holes– See link Ch 2ySee link Ch 2y
![Page 30: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/30.jpg)
NmapNmap
Interesting optionsInteresting options-f -f fragments packetsfragments packets
-D-D Launches decoy scans for Launches decoy scans for concealmentconcealment
-I-I IDENT Scan – finds owners of IDENT Scan – finds owners of processesprocesses
(on Unix systems)(on Unix systems)
-b-b FTP Bounce (see next slide)FTP Bounce (see next slide)
![Page 31: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/31.jpg)
FTP BounceFTP Bounce
1. Transfer attack code to FTP server
2. Request file transfer to target
Attacker
FTP Server
Target
![Page 32: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/32.jpg)
FTP BounceFTP Bounce
Old FTP servers allowed a request for a Old FTP servers allowed a request for a file transfer to a third IP addressfile transfer to a third IP address
This could be used to send email or other This could be used to send email or other data to the third computer from the FTP data to the third computer from the FTP serverserver
Very old attack, from 1995Very old attack, from 1995
Almost unusable todayAlmost unusable today
![Page 33: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/33.jpg)
Windows-Based Port Scanners Windows-Based Port Scanners
SuperScanSuperScan– Four different ICMP host-discovery Four different ICMP host-discovery
techniquestechniques– Accurate UDP scan sending "Data+ICMP" Accurate UDP scan sending "Data+ICMP" – Banner grabbingBanner grabbing– Many other toolsMany other tools
Nmap with the Zenmap GUINmap with the Zenmap GUI– Powerful, runs on WindowsPowerful, runs on Windows
![Page 34: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/34.jpg)
Command-line ScannersCommand-line Scanners
ScanlineScanline– For WindowsFor Windows
netcatnetcat– For Windows and LinuxFor Windows and Linux
nmapnmap– Can be run on the command line, on Windows Can be run on the command line, on Windows
or Linuxor Linux
![Page 35: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/35.jpg)
Port Scanning Countermeasures Port Scanning Countermeasures
Snort (http://www.snort.org) is a great free Snort (http://www.snort.org) is a great free IDS (Intrusion Detection System)IDS (Intrusion Detection System)– [**] spp_portscan: PORTSCAN DETECTED [**] spp_portscan: PORTSCAN DETECTED from 192.168.1.10 [**] 05/22-from 192.168.1.10 [**] 05/22-18:48:53.681227 [**] spp_portscan: 18:48:53.681227 [**] spp_portscan: portscan status from 192.168.1.10: 4 portscan status from 192.168.1.10: 4 connections across 1 hosts: TCP(0), connections across 1 hosts: TCP(0), UDP(4) [**] 05/22-18:49:14.180505 [**] UDP(4) [**] 05/22-18:49:14.180505 [**] spp_portscan: End of portscan from spp_portscan: End of portscan from 192.168.1.10 [**] 05/22-18:49:34.180236192.168.1.10 [**] 05/22-18:49:34.180236
![Page 36: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/36.jpg)
Other Detection ToolsOther Detection Tools
ScanlogdScanlogd– Detects TCP Port Scans on UnixDetects TCP Port Scans on Unix
Firewalls can detect port scansFirewalls can detect port scans– Use Use threshold loggingthreshold logging to limit the volume of to limit the volume of
email alerts sent by your firewallemail alerts sent by your firewall– That groups similar alerts into a single emailThat groups similar alerts into a single email
AttackerAttacker– Windows tool from Foundstone to detect port Windows tool from Foundstone to detect port
scansscans
![Page 37: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/37.jpg)
Preventing Port ScansPreventing Port Scans
You can't stop the scans from coming in, You can't stop the scans from coming in, but you can mimimize your attack surfacebut you can mimimize your attack surface
Disable unnecessary servicesDisable unnecessary services
![Page 38: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/38.jpg)
Detecting the Operating System Detecting the Operating System
Banner-GrabbingBanner-Grabbing– Many services announce what they are in Many services announce what they are in
response to requestsresponse to requests– Banner grabbers just collect those bannersBanner grabbers just collect those banners– But they could be spoofedBut they could be spoofed
![Page 39: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/39.jpg)
Active Stack Fingerprinting Active Stack Fingerprinting
Details of the TCP Packets are used to Details of the TCP Packets are used to identify the operating systemidentify the operating system
Nmap does this, using these probes:Nmap does this, using these probes:– FIN probe FIN probe – Bogus Flag probe Bogus Flag probe – Initial Sequence Number (ISN) sampling Initial Sequence Number (ISN) sampling – "Don't fragment bit" monitoring "Don't fragment bit" monitoring – TCP initial window size TCP initial window size
And many othersAnd many others
![Page 40: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/40.jpg)
Operating System Detection Operating System Detection Countermeasures Countermeasures
IDS can detect operating system detection IDS can detect operating system detection scansscans
Hacking the OS to change its TCP stack is Hacking the OS to change its TCP stack is dangerous, and not recommendeddangerous, and not recommended
Best policy: Accept that your firewalls and Best policy: Accept that your firewalls and proxy servers will be scanned and proxy servers will be scanned and fingerprinted, and harden them against fingerprinted, and harden them against attackers who know the OSattackers who know the OS
![Page 41: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/41.jpg)
Passive Operating System Passive Operating System Identification Identification
Sniff traffic and guess the OS from thatSniff traffic and guess the OS from that
Examine these featuresExamine these features– TTLTTL (time-to-live) (time-to-live)– Window sizeWindow size– DFDF (Don't fragment bit) (Don't fragment bit)
siphon was the first tool to do this, it's out siphon was the first tool to do this, it's out of dateof date
p0f is a newer one (link Ch 2z6)p0f is a newer one (link Ch 2z6)
![Page 42: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/42.jpg)
p0f on Vistap0f on Vista
Run p0f in a Command Prompt WindowRun p0f in a Command Prompt Window
Open a Web pageOpen a Web page
It fingerprints any OS it can see on the It fingerprints any OS it can see on the LANLAN
![Page 43: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/43.jpg)
Nmap Plus MetasploitNmap Plus Metasploit
Nmap scans can be imported into Nmap scans can be imported into Metasploit for further exploitationMetasploit for further exploitation
Details at end of chapter 2Details at end of chapter 2
![Page 44: Chapter 2 Scanning Last modified 2-2-11. Determining If The System Is Alive.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eff5503460f94c14817/html5/thumbnails/44.jpg)
Automated Discovery Tool: Automated Discovery Tool: Cheops-ngCheops-ng
Combines Ping, Combines Ping, Traceroute, Port Traceroute, Port Scans, and OS Scans, and OS Detection to draw Detection to draw a network mapa network map– Link Ch 2z7Link Ch 2z7
Windows 7's Windows 7's "Network Map" is "Network Map" is similarsimilar