CIT 380: Securing Computer Systems
description
Transcript of CIT 380: Securing Computer Systems
![Page 1: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/1.jpg)
CIT 380: Securing Computer Systems Slide #1
CIT 380: Securing Computer Systems
Scanning
![Page 2: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/2.jpg)
War Driving
• Finding wireless access points
CIT 380: Securing Computer Systems Slide #2
![Page 3: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/3.jpg)
NetStumbler
• Sends out ESSID any
• Waits for Access Points to respond
• www.netstumber.com (free)
• Figure 6.1 on page 244
CIT 380: Securing Computer Systems Slide #3
![Page 4: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/4.jpg)
Wellenreiter
• Passively discovers wireless systems
• Linux
• Figure 6.2 on page 246
CIT 380: Securing Computer Systems Slide #4
![Page 5: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/5.jpg)
ESSID-Jack
• Figure 6.3 page 248
CIT 380: Securing Computer Systems Slide #5
![Page 6: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/6.jpg)
Defenses
• Use WPA protocol
• Use ESSID that does not identify you
• Use VPN
• Detecting Rogue Access Points
CIT 380: Securing Computer Systems Slide #6
![Page 7: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/7.jpg)
War Dialing
• Attacker dial range of numbers looking for modems
• THC-Scan Figure 6.4 on page 255
• Random dialing
• Random waiting time
• Nudging to discover the system from banners and login prompt
CIT 380: Securing Computer Systems Slide #7
![Page 8: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/8.jpg)
War Dialing
• Look for systems without passwords
• Look for default passwords
• Run list of passwords
CIT 380: Securing Computer Systems Slide #8
![Page 9: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/9.jpg)
Why Modems
• To allow access to routers, etc.
• To bypass VPNs (Rogue Modems)
CIT 380: Securing Computer Systems Slide #9
![Page 10: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/10.jpg)
Defenses
• Modem Policy
• Test for rogue modems
CIT 380: Securing Computer Systems Slide #10
![Page 11: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/11.jpg)
CIT 380: Securing Computer Systems Slide #11
Topics
1. Port Scanning
2. Stealth Scanning
3. Version Identification
4. OS Fingerprinting
5. Vulnerability Scanning
![Page 12: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/12.jpg)
CIT 380: Securing Computer Systems Slide #12
Port Scanning
Method of discovering exploitable communication channels by probing networked hosts to find which TCP and UDP ports they’re listening on.
![Page 13: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/13.jpg)
nmap
• Fyodor
• Table 6.2 on pages 270-1
CIT 380: Securing Computer Systems Slide #13
![Page 14: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/14.jpg)
CIT 380: Securing Computer Systems Slide #14
nmap TCP connect() scan> nmap -sT at204m02(1645 ports scanned but not shown are in state: closed)PORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind443/tcp open https515/tcp open printer2049/tcp open nfs4045/tcp open lockd5432/tcp open postgres5901/tcp open vnc-16000/tcp open X1132775/tcp open sometimes-rpc13Nmap run completed -- 1 IP address (1 host up) scanned in
43.846 seconds
![Page 15: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/15.jpg)
CIT 380: Securing Computer Systems Slide #15
Scanning Techniques1. TCP connect() scan2. TCP SYN scan3. TCP FIN scan4. TCP Xmas scan5. TCP Null scan6. TCP ACK scan7. Fragmentation Scan8. FTP bounce scan9. Idle Scan10. UDP scan
![Page 16: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/16.jpg)
CIT 380: Securing Computer Systems Slide #16
TCP connect() scan
• Use connect() system call on each port, following normal TCP connection protocol (3-way handshake).
• connect() will succeed if port is listening.
• Advantages: fast, requires no privileges
• Disadvantages: easily detectable and blockable.
![Page 17: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/17.jpg)
CIT 380: Securing Computer Systems Slide #17
TCP SYN Scan
• Send SYN packet and wait for response– SYN+ACK
• Port is open
• Send RST to tear down connection
– RST
• Port is closed
• Advantage: less likely to be logged or blocked• Disadvantage: requires root privilege
![Page 18: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/18.jpg)
CIT 380: Securing Computer Systems Slide #18
TCP FIN scan• Send TCP FIN packet and wait for response
– No response• Port is open
– RST• Port is closed.
• Advantages: more stealthy than SYN scan• Disadvantages: MS Windows doesn’t follow
standard (RFC 793) and responds with RST in both cases, requires root privilege.
![Page 19: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/19.jpg)
CIT 380: Securing Computer Systems Slide #19
Xmas and Null Scans
• Similar to FIN scan with different flag settings.
• Xmas Scan: Sets FIN, URG, and PUSH flags.
• Null Scan: Turns off all TCP flags.
![Page 20: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/20.jpg)
CIT 380: Securing Computer Systems Slide #20
TCP ACK Scan
• Does not identify open ports
• Used to determine firewall type– Packet filter (identifies responses by ACK bit)– Stateful
• Send TCP ACK packet to specified port– RST
• Port is unfiltered (packet got through)
– No response or ICMP unreachable• Port is filtered
![Page 21: CIT 380: Securing Computer Systems](https://reader035.fdocuments.us/reader035/viewer/2022062419/568139d4550346895da18700/html5/thumbnails/21.jpg)
CIT 380: Securing Computer Systems Slide #21
Fragmentation Scan
• Modify TCP stealth scan (SYN, FIN, Xmas, NULL) to use tiny fragmented IP datagrams.
• Advantages: increases difficulty of scan detection and blocking.
• Disadvantages: does not work on all Oses, and may crash some firewalls/sniffers.