J. A. Drew Hamilton, Jr., Ph.D. - Mississippi State...

Mississippi State University Center for Cyber Innovation 1

J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation

Professor, Computer Science & Engineering

CCI Post Office Box 9627 Mississippi State, MS 39762

Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]


Section Objectives •  Understand EC-Council’s scanning methodology •  Describe scan types and the objectives of scanning •  Understand the use of various scanning and

enumeration tools •  Describe TCP communication (three-way handshake

and flag types) •  Understand basic subnetting •  Understand enumeration and enumeration

techniques •  Describe vulnerability scanning concepts and

actions •  Describe steps involved in performing enumeration


Scanning and Enumeration

Dr. Drew Hamilton Reference: Dr. John Copeland Reference: Dr. Pascal Meunier

Reference: Matt Walker All-in-One CEH Certified Ethical Hacker


ApplicationLayer(SHTTP)

Transport Layer(TCP,UDP)

Network Layer (IP)

E'net DataLink Layer

EthernetPhys. Layer

Network Layer


E'net Phys.Layer

Network Layer

Process Process

RouterBuffers Packets thatneed to be forwarded(based on IP address).

ApplicationLayer(SHTTP)


Network Layer (IP)

Token RingData-Link Layer

Token RingPhys. Layer

Token RingData Link Layer


TCP/IP Fundamentals


Router Network - Table Set Up

In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to Algorithm in the Router).

4 E

3 A

5

C

D

B

1

7

6

2

Station( on a LAN) A

1 Local Connection

Trunk or Long-Haul Router

A to D


Optimal Paths From Router 1

(or To Router 1)

Define Router 1's Sink Tree

4 E

3 A

5

C

D

B

1

7

6

2

Station A

1

Station Station

Local Connection

Trunk or Long-Haul Router


Application Layer (HTTP)


Network Layer (IP)


EthernetPhys. Layer

Network Layer


E'net Phys.Layer

Network Layer

Web Server Browser

RouterBuffers Packets thatneed to be forwarded(based on IP address).

Application Layer (HTTP)


Network Layer (IP)

Token RingData-Link Layer


IP Address 130.207.22.5

IP Address 24.88.15.22

Port 80 Port 31337

Segment No. Segment No.

Token RingData Link Layer


TCP/IP Example


Connection & Connectionless Comm •  Connection = Transmission Control Protocol

–  The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite.

–  It originated in the initial network implementation in which it complemented the Internet Protocol (IP).

–  Therefore, the entire suite is commonly referred to as TCP/IP.

•  Connectionless = User Datagram Protocol –  UDP (User Datagram Protocol) is an alternative

communications protocol to Transmission Control Protocol (TCP) used primarily for establishing low-latency and loss tolerating connections between applications on the Internet

–  “Fire and forget” –  Simpler, faster and less reliable.


TCP versus UDP


UDP Datagram Structure

–  “Fire and forget” –  Simpler, faster and less reliable.


TCP Segment Structure


TCP Flags •  SYN (Synchronize)

–  This flag is set during initial communication establishment. –  It indicates negotiation of parameters and sequence numbers.

•  ACK (Acknowledgment) –  This flag is set as an acknowledgment to SYN flags. –  This flag is set on all segments after the initial SYN flag.

•  RST (Reset) –  This flag forces a termination of communications (both directions).

•  FIN (Finish) –  This flag signifies an ordered close to communications.

•  PSH (Push) –  This flag forces the delivery of data without concern for any buffering. In

other words, the receiving device need not wait for the buffer to fill up before processing the data.

•  URG (Urgent) –  Indicates the data inside is being sent out of band. –  Cancelling a message mid-stream is one example.

Mississippi State University Center for Cyber Innovation 13 TCP 13

Transport Layer


Transport Layer

Process-to-process delivery


Transport Layer Addressing

Addresses • Data link layer à MAC address • Network layer à IP address • Transport layer à Port number (choose among multiple processes running on destination host)


Port Numbers

• Port numbers are 16-bit integers (0 à 65,535) Ø Servers use well know ports, 0-1023 are privileged Ø Clients use ephemeral (short-lived) ports

• Internet Assigned Numbers Authority (IANA) maintains a list of port number assignment

Ø Well-known ports (0-1023) à controlled and assigned by IANA Ø Registered ports (1024-49151) à IANA registers and lists use of ports as a convenience (49151 is ¾ of 65536) Ø Dynamic ports (49152-65535) à ephemeral ports

Ø For well-known port numbers, see /etc/services on a UNIX or Linux machine


Common Port Numbers


Some tools to experiment with •  CurrPort (Windows) •  Netstat


IP Addresses

•  Structure of an IP address •  Subnetting •  CIDR •  IP Version 6 addresses


IP Addresses

Application dataTCP HeaderEthernet Header Ethernet Trailer

Ethernet frame

IP Header

version(4 bits)

headerlength

Type of Service/TOS(8 bits)

Total Length (in bytes)(16 bits)

Identification (16 bits) flags(3 bits) Fragment Offset (13 bits)

Source IP address (32 bits)

Destination IP address (32 bits)

TTL Time-to-Live(8 bits)

Protocol(8 bits) Header Checksum (16 bits)

32 bits


IP Addresses


Ethernet frame

IP Header

0x4 0x5 0x00 4410

9d08 0102 00000000000002

128.143.137.144

128.143.71.21

12810 0x06 8bff

32 bits


What is an IP Address?

•  An IP address is a unique global address for a network interface

•  An IP address: –  is a 32 bit long identifier –  encodes a network number (network prefix) –  and a host number


Dotted Decimal Notation

•  IP addresses are written in a so-called dotted decimal notation

•  Each byte is identified by a decimal number in the range [0..255]:

•  Example:

10001111 10000000 10001001 10010000

1st Byte

= 128

2nd Byte

= 143

3rd Byte

= 137

4th Byte

= 144

128.143.137.144


•  The network prefix identifies a network and the host number identifies a specific host (actually, interface on the network).

•  How do we know how long the network prefix is?

–  The network prefix used to be implicitly defined (class-based addressing, A,B,C,D…)

–  The network prefix now is flexible and is indicated by a prefix/netmask (classless).

Network prefix and Host number

network prefix host number


Example: argon.cs.virginia.edu • IP address is 128.143.137.144

–  Is that enough info to route datagram??? -> No, need netmask or prefix at every IP device (host and router)

• Using Prefix notation IP address is: 128.143.137.144/16 –  Network prefix is 16 bits long

• Network mask is: 255.255.0.0 or hex format: ffff0000 -----> Network id (IP address AND Netmask) is: 128.143.0.0

-----> Host number (IP address AND inverse of Netmask) is: 137.144

Example

128.143 137.144


The old way: Classful IP Adresses

•  When Internet addresses were standardized (early 1980s), the Internet address space was divided up into classes: –  Class A: Network prefix is 8 bits long –  Class B: Network prefix is 16 bits long –  Class C: Network prefix is 24 bits long

•  Each IP address contained a key which identifies the class: –  Class A: IP address starts with “0” –  Class B: IP address starts with “10” –  Class C: IP address starts with “110”


The old way: Internet Address Classes

Class C network id host11 0

Network Prefix24 bits

Host Number8 bits

bit # 0 1 23 242 313

Class B 1 network id hostbit # 0 1 15 162

Network Prefix16 bits

Host Number16 bits

031

Class A 0Network Prefix

8 bits

bit # 0 1 7 8

Host Number24 bits

31


Class D multicast group id11 1bit # 0 1 2 313

04

Class E (reserved for future use)11 1bit # 0 1 2 313

14

05

The old way: Internet Address Classes

•  We will learn about multicast addresses later in this course.


Problems with Classful IP Addresses •  The original classful address scheme had a

number of problems

Problem 1. Too few network addresses for large networks –  Class A and Class B addresses are gone

Problem 2. Two-layer hierarchy is not appropriate for large networks with Class A and Class B addresses. – Fix #1: Subnetting


Problems with Classful IP Addresses

Problem 3. Inflexible. Assume a company requires 2,000 addresses –  Class A and B addresses are overkill –  Class C address is insufficient (requires 8 Class C addresses)

– Fix #2: Classless Interdomain Routing (CIDR)



Problem 4: Exploding Routing Tables: Routing on the backbone Internet needs to have an entry for each network address. In 1993, the size of the routing tables started to outgrow the capacity of routers.

– Fix #2: Classless Interdomain Routing (CIDR)



Problem 5. The Internet is going to outgrow the 32-bit addresses

– Fix #3: IP Version 6


Subnetting

Subnetting •  Problem: Organizations

have multiple networks which are independently managed –  Solution 1: Allocate an

address for each network •  Difficult to manage •  From the outside of

the organization, each network must be addressable ie have an identifiable address.

–  Solution 2: Add another level of hierarchy to the IP addressing structure

University Network

Medical School

Library

Engineering School


•  Split the host number portion of an IP address into a subnet number and a (smaller) host number.

•  Result is a 3-layer hierarchy

•  Then: •  Subnets can be freely assigned within the organization •  Internally, subnets are treated as separate networks •  Subnet structure is not visible outside the organization

Basic Idea of Subnetting

network prefix host number

subnet number network prefix host number

extended network prefix


•  Routers and hosts use an extended network prefix (subnet mask) to identify the start of the host numbers

* There are different ways of subnetting. Commonly used netmasks

for university networks with /16 prefix (Class B) are 255.255.255.0 and 255.255.0.0

Class B network host

16 bits

withsubnetting

host

Subnetmask(255.255.255.0)

network subnet

Network Prefix (16 bits)

1

1111111111111111111111100000000

0

10Extended Network Prefix (24 bits)

Subnet Masks


Internet

Router

Subnet 1

Subnet 2

R

Subnet 3

Subnet 4

IP Network: 128.49.0.0/16

Subnet 128.49.0.0/24

Subnet 128.49.1.0/25

Subnet 128.49.1.128/25

Subnet 128.49.3.0/24

Subnetwork: 128.49.1.0/24

2 bytes available for subnetting

34=00000000

132=10000000

Example of a Subnetting Plan


Advantages of Subnetting •  With subnetting, IP addresses use a 3-layer

hierarchy: »  Network »  Subnet »  Host

•  Improves efficiency of IP addresses by not consuming an entire address space for each physical network.

•  Reduces router complexity. Since external routers do not know about subnetting, the complexity of routing tables at external routers is reduced.

•  Note: Length of the subnet mask need not be identical at all subnetworks.


Subnetting Example


Network without subnets

128.143.0.0/16


Same Network with Subnets


Same network w/ different subnetmasks

128.143.137.0 Subnet


Subnetting Example

•  An organization with 4 departements has the following IP address space: 10.2.22.0/23. As the systems manager, you are required to create subnets to accommodate the IT needs of 4 departments. The subnets have to support to 200, 61, 55, and 41 hosts respectively. What are the 4 subnet network numbers?

•  Solution: –  10.2.22.0/24 (256 addresses > 200) –  10.2.23.0/26 (64 addresses >61) –  10.2.23.64/26 (64 addresses > 55) –  10.2.23.128/26 (64 addresses > 41)


CIDR - Classless Interdomain Routing

•  IP backbone routers have one routing table entry for each network address: –  With subnetting, a backbone router only needs to know

one entry for each network –  This is acceptable for Class A and Class B networks

•  27 = 128 Class A networks •  214 = 16,384 Class B networks

–  But this is not acceptable for Class C networks •  221 = 2,097,152 Class C networks

•  In 1993, the size of the routing tables started to outgrow the capacity of routers

•  Consequence: The Class-based assignment of IP addresses had to be abandoned


CIDR - Classless Interdomain Routing

•  Goals: –  Restructure IP address assignments to increase efficiency –  Hierarchical routing aggregation to minimize route table entries

Key Concept: The length of the network id (prefix) in IP

addresses is arbitrary/flexible and is defined by the network hierarchy.

•  Consequence: –  Routers use the IP address and the length of the prefix for

forwarding. –  All advertised IP addresses must include a prefix


CIDR Example

•  CIDR notation of a network address: 192.0.2.0/18

•  "18" says that the first 18 bits are the network part of the address

•  The network part is called the network prefix •  Example:

–  Assume that a site requires an IP network domain that can support 1000 IP host addresses

–  With CIDR, the network is assigned a continuous block of 1024 = 210 (>1000) addresses with a 32-10 = 22-bit long prefix


CIDR: Prefix Size vs. Host Space

CIDR Block Prefix # of Host Addresses /27 32 hosts /26 64 hosts /25 128 hosts /24 256 hosts /23 512 hosts /22 1,024 hosts /21 2,048 hosts /20 4,096 hosts /19 8,192 hosts /18 16,384 hosts /17 32,768 hosts /16 65,536 hosts /15 131,072 hosts /14 262,144 hosts /13 524,288 hosts


CIDR and Address Assignments

•  Backbone ISPs obtain large blocks of IP address space and then reallocate portions of their address blocks to their customers.

Example: •  Assume that an ISP owns the address block

206.0.64.0/18, which represents 16,384 (232-18=214) IP host addresses

•  Suppose a client requires 800 host addresses Ø  512=29<800<1024=210 -> 32-10 = 22, Ø Assigning a /22 block, i.e., 206.0.68.0/22 -> gives a block

of 1,024 (210) IP addresses to client.


Subnetting and Classless Inter Domain Routing (CIDR)

•  Subnetting is done by allocating some of the leading bits of the host number to indicate a subnet number. �  With subnetting, the network prefix and the subnet

number make up an extended network prefix. �  The extended prefix can be expressed in terms of a

subnetmask or, using CIDR notation, by adding the length of the extended subnetmask after the IP address.

�  For example, for Argon, the first byte of the host number (the third byte of the IP address) is used to denote the subnet number. �  128.143.0.0/16 is the IP address of the network (network

prefix /16), �  128.143.137.0/24 is the IP address of the subnet, �  128.143.137.144/32 is the IP address of the host, and �  255.255.255.0 is the subnetmask of the host (or subnet

prefix /24))


CIDR and Routing Information

206.0.64.0/18 204.188.0.0/15 209.88.232.0/21 Internet

Backbone

ISP X owns: Company X : 206.0.68.0/22

ISP y : 209.88.237.0/24

Organization z1 : 209.88.237.192/26

Organization z2 : 209.88.237.0/26


CIDR and Routing Information

206.0.64.0/18 204.188.0.0/15 209.88.232.0/21 Internet

Backbone

ISP K owns: Company X : 206.0.68.0/22

ISP Y : 209.88.237.0/24

Organization Z1 : 209.88.237.192/26

Organization Z2 : 209.88.237.0/26

Backbone sends everything which matches the prefixes 206.0.64.0/18, 204.188.0.0/15, 209.88.232.0/21 to ISP K.

ISP K sends everything which matches the prefix: 206.0.68.0/22 to Company X, 209.88.237.0/24 to ISP Y

Backbone routers do not know anything about Company X, ISP Y, or Organizations Z1, Z2.

ISP K does not know about Organizations Z1, Z2. ISP Y sends everything which matches

the prefix: 209.88.237.192/26 to Organizations Z1 209.88.237.0/26 to Organizations Z2


•  Aggregation of routing table entries: –  128.143.0.0/16 and 128.142.0.0/16 can be represented as

128.142.0.0/15 at a router. •  143 = 128.10001111.0.0 142 = 128.10001110.0.0

•  Longest prefix match: Routing table lookup finds the routing entry that matches the longest prefix –  Why????

E.g., What is the outgoing interface for destination IP address: 128.143.137.0?

Prefix Interface/outgoing link

128.143.128.0/17 interface #1 128.128.0.0/9 interface #2

128.0.0.0/4 interface #5

Routing table

CIDR and Routing


IPv6 - IP Version 6

•  IP Version 6 –  Is the successor to the currently used IPv4 –  Specification completed in 1994 –  Makes improvements to IPv4 (no revolutionary changes)

•  One (not the only !) feature of IPv6 is a significant increase in size of the IP address to 128 bits (16 bytes)

•  IPv6 will solve – for the foreseeable future – the problems with IP addressing


IPv6 Header


Ethernet frame

IPv6 Header


IPv6 vs. IPv4: Address Comparison

•  IPv4 has a maximum of 232 ≈ 4 billion addresses

•  IPv6 has a maximum of 2128 = (232)4 ≈ 4 billion x 4 billion x 4 billion x 4 billion

addresses


Notation of IPv6 addresses

•  Convention: The 128-bit IPv6 address is written as eight 16-bit integers (using hexadecimal digits for each integer)

CEDF:BP76:3245:4464:FACE:2E50:3025:DF12 •  Short notation: •  Abbreviations of leading zeroes:

CEDF:BP76:0000:0000:009E:0000:3025:DF12 à CEDF:BP76:0:0:9E :0:3025:DF12

•  “:0000:0000” can be written as “::” CEDF:BP76:0:0:FACE:0:3025:DF12 à CEDF:BP76::FACE:0:3025:DF12

•  IPv6 addresses derived from IPv4 addresses have different formats. Convention allows to use IPv4 notation for the last 32 bits. 128.143.137.144 -> 0:0:0:0:0:ffff:808F:8990 or 128.143.137.144 -> 2002:808f:8990:0:0:0:0:0 (called 6to4 address)


IPv6 Provider-Based Addresses

•  The first IPv6 addresses will be allocated to a provider-based plan

•  Type: Set to “010” for provider-based addresses •  Registry: identifies the agency that registered the

address The following fields have a variable length (recommeded length

in “()”) •  Provider: Id of Internet access provider (16 bits) •  Subscriber: Id of the organization at provider (24

bits) •  Subnetwork: Id of subnet within organization (32

bits) •  Interface: identifies an interface at a node (48 bits)

Registry ID

Provider ID 010 Subscriber

ID Interface

ID Subnetwork

ID


More on IPv6 Addresses

•  The provider-based addresses have a similar flavor as CIDR addresses

•  IPv6 provides address formats for: –  Unicast – identifies a single interface –  Multicast – identifies a group. Datagrams sent to a

multicast address are sent to all members of the group –  Anycast – identifies a group. Datagrams sent to an

anycast address are sent to one of the members in the group.


Socket Addressing

• Process-to-process delivery needs two identifiers Ø IP address and Port number Ø Combination of IP address and port number is called a socket address (a socket is a communication endpoint) Ø Client socket address uniquely identifies client process Ø Server socket address uniquely identifies server process

• Transport-layer protocol needs a pair of socket addresses Ø Client socket address Ø Server socket address Ø For example, socket pair for a TCP connection is a 4-tuple

1.  local IP address 2.  local port 3.  foreign IP address 4.  foreign port


Provides an abstraction for interprocess communication

Why Sockets?


•  The services provided (often by the operating system) that provide the interface between application and protocol software.

Application

Network API

Protocol A Protocol B Protocol C

Socket Definition


Functions

– Define an “endpoint” for communication

–  Initiate and accept a connection – Send and receive data – Terminate a connection gracefully

Examples

n File transfer apps (FTP), Web browsers n (HTTP), Email (SMTP/ POP3), etc…


•  Two different types of sockets : –  stream vs. datagram

•  Stream socket :( a. k. a. connection- oriented socket) –  It provides reliable, connected networking service –  Error free; no out- of- order packets (uses TCP) –  applications: telnet/ ssh, http, …

•  Datagram socket :( a. k. a. connectionless socket) –  It provides unreliable, best- effort networking service –  Packets may be lost; may arrive out of order (uses UDP) –  applications: streaming audio/ video (realplayer), …

Types of Sockets


Client Server

Addressing


•  Like apartments and mailboxes –  You are the application –  Your apartment building address is the address –  Your mailbox is the port –  The post-office is the network –  The socket is the key that gives you access to the right mailbox

Addresses, Ports and Sockets


Client – high level view

Create a socket

Setup the server address

Connect to the server

Read/write data

Shutdown connection


Create a socket

Bind the socket

Listen for connections

Accept new client connections

Read/write to client connections

Shutdown connection

Server – high level view


Sending / Receiving Data

•  With a connection (SOCK_STREAM): –  int count = send(sock, &buf, len, flags);

•  count: # bytes transmitted (-1 if error) •  buf: char[], buffer to be transmitted •  len: integer, length of buffer (in bytes) to transmit •  flags: integer, special options, usually just 0

–  int count = recv(sock, &buf, len, flags); •  count: # bytes received (-1 if error) •  buf: void[], stores received bytes •  len: # bytes received •  flags: integer, special options, usually just 0

–  Calls are blocking [returns only after data is sent (to socket buf) / received]


socket()

bind()

listen()

accept()

read()

write()

read()

close()

Socket()

connect()

write()

read()

close()

TCP Client

TCP Server

Well-known port

blocks until connection from client

process request

Connection establishment Data(request)

Data(reply)

End-of-file notification

Client – Server Comms


•  Many functions block –  accept(), connect(), –  All recv()

•  For simple programs this is fine •  What about complex connection routines

–  Multiple connections –  Simultaneous sends and receives –  Simultaneously doing non-networking processing

Dealing with calls


IP Security Overview •  IP Packets have no inherent security

–  Relatively easy to •  forge contents of IP packets •  modify contents of IP packets •  inspect the contents of IP packets in transit

•  Therefore, there is no guarantee that IP datagrams received: –  are from the claimed sender (source address in the IP

header) –  contain the original data that the sender placed in them –  were not inspected by a third party while the packet was

being sent from source to destination


TCP Review

•  The establishment of a TCP connection typically requires the exchange of three Internet packets between two machines in an interchange known as the TCP three-way handshake. Here's how it works: –  SYN: A TCP client (such as a web browser, ftp client,

etc.) initiates a connection with a TCP server by sending a SYN packet to the server.

–  SYN/ACK: When a connection-requesting SYN packet is received at an ‘open’ TCP service port, the server's operating system replies with a connection-accepting SYN/ACK packet.

–  ACK: When the client receives the server's acknowledging SYN/ACK packet for the pending connection, it replies with an ACK packet.


Bandwidth Consumption DoS

•  Traditional SYN flooding DoS attacks are either one-on-one –  (one machine sending out enough SYN packets to the

target machine to effectively choke off access to the other machine)

•  or many-on-one –  (SYN flooding ‘zombie’ programs loaded by the

attacker into compromised machines and commanded by the attacker to send huge volumes of SYN commands to the target machine).


Review of SYN Packets

SYN: A TCP client (such as a web browser, ftp client, etc.) initiates connection with a TCP server by sending a "SYN" packet to the server.


Review of SYN Packets SYN/ACK: When a connection-requesting SYN packet is

received at an "open“ TCP service port, the server's operating system replies with a connection accepting the "SYN/ACK" packet.

ACK: When the client receives the server's acknowledging SYN/ACK packet for the pending connection, it replies with an ACK packet.


SYN Packet with Deliberately Spoofed Return Address

Through the use of "Raw Sockets", the packet's "return address" (source IP) can be overridden and falsified. When a SYN packet with a spoofed source IP arrives at the server, it appears as any other valid connection request.


Raw Socket Review

•  Data is exchanged across the Internet by either establishing a bi-directional "TCP Connection" between two machines, or by sending a uni-directional "UDP Datagram" message from one machine to another. Both of these data transferring operations employ standard sockets.


Raw Sockets Review •  Smooth and orderly traffic flow across the Internet requires

machines to inform each other of various non-data events such as closed ports, network congestion, unreachable IP addresses, etc. The ICMP (Internet Control Message Protocol) was created to fill this need.

•  The operating system's built-in TCP/IP stack automatically and transparently generates and receives most of these "Internet plumbing" ICMP messages on behalf of the machine. To facilitate the creation of Internet plumbing applications, such as "ping" and "traceroute", which also employ ICMP messages, the Berkeley designers allowed programmers to manually generate and receive their own ICMP, and other, message traffic. As shown in the diagram, the Berkeley Sockets system provides this power through the use of a so-called "Raw Socket".

•  A Raw Socket short-circuits the TCP/IP stack to open a "backdoor" directly into the underlying network data transport.

–  This provides full and direct "packet level" Internet access to any Unix sockets programmer.


SYN Packet: Destination Unknown •  The server will allocate the required memory buffers,

record the information about the new connection, and send an answering SYN/ACK packet back to the client.

•  But since the source IP contained in the SYN packet was deliberately falsified (it is often a random number), the SYN/ACK will be sent to a random IP address on the Internet.

•  If the packet were addressed to a valid IP, the machine at that address might reply with a "RST" (reset) packet to let the server know that it did not request a connection.

•  But with over 4 billion Internet addresses, the chances are that there will be no machine at the address and the packet will be discarded.


Reflection SYN Flooding

•  With a reflection SYN flooding attack the attacking machines send out huge volumes of SYN packets but with the IP source address pointing to the target machine.

•  The TCP three-way handshake requires that any TCP based service that receives a SYN packet must respond with a SYN/ACK packet.

•  The servers and routers that receive these fraudulent SYN packets dutifully send out the SYN/ACK packet to the machine pointed to by the SYN packets IP source address.


SYN Reflector Capability •  Consider this, any general-purpose TCP connection-

accepting Internet server could be used to reflect SYN packets.

•  Here is a short list of the more popular TCP ports: –  22 (Secure Shell) –  23 (Telnet) –  53 (DNS) –  80 (HTTP/web) –  And, virtually all of the Internet’s routers will accept TCP

connections on port 179. •  To fully comprehend the potential of this new form of DoS

attack consider this: –  it uses a fundamental Internet communications protocol; –  machines that use this protocol exist in the millions; –  it is extremely easy to generate a list of ‘SYN packet

reflectors’.


Generating and Using the ‘SYN Packet Reflector’ List

•  A simple script can be constructed to collect a large number of ‘SYN packet reflection’ capable routers and servers. –  Well-known web server farms, such as eBay and Yahoo, are

easily available. –  Simple port scans through high bandwidth IP regions will

reveal thousands, if not millions, of available TCP servers. –  Readily available tools such as Trace Route provide the IP

address of every Internet router between the tracer and any other IP address.

•  Given a large list of SYN packet reflectors, each SYN spoofing attack host can distribute its fraudulent SYN packets evenly across every reflector on its list.


Load Balancing the Attack

•  The big win for the attacker is that since the SYN flooding machine is distributing its packets across a huge number of SYN packet reflectors, none of the innocent reflectors will experience significant levels of incomplete TCP connections.

•  And, since routers generally do not retain any record of previously routed packets, it makes tracking an attack from the victim to the attacker extremely difficult.


Force Multipliers •  As if ease of attack and ubiquity of reflectors were not bad

enough, it turns out that the reflectors will generate three or four times more SYN/ACK packets than the number of SYN packets they receive.

•  Since the TCP connection that receives the SYN command is expecting to receive an ACK back from the machine it sent the SYN/ACK response to, it will send out three or four more SYN/ACK responses over the next few minutes.

•  This TCP protocol feature essentially multiplies the number of malicious SYN/ACK packets being sent to the target machine by a factor of three or four.

•  It also means that the flood of SYN/ACK packets will continue to disable the target site for a minute or two even after the attacker has called off the attack.


Collateral Damage •  The basic connection unit in the Internet is the router.

–  Some routers serve only a small number of machines while other ‘aggregation routers’ collect and disperse large amounts of packet traffic from smaller networks.

•  During normal operations, the traffic flowing through the aggregation routers can be sorted and forwarded to the router's various lower bandwidth client networks.

•  Now imagine a SYN/ACK flood that is so large that it starts to degrade the performance of the aggregation router. –  Having to process and disperse so many packets to the client

networks, the router will drop and discard a portion of the packets. –  Legitimate Internet clients, trying to access resources that have

nothing to do with the target under attack, will also experience degraded, or complete denial of, service.


Solutions to SYN Spoofing •  Operating system vendors responded to spoofed SYN

packet DoS attacks by strengthening their TCP "protocol stacks" in various ways.

•  Most of these were quantitative improvements to make their systems less vulnerable, but they did not eliminate the problem.

•  Two complete, robust, and practical solutions were developed: –  The Unix community invented a clever "stateless" TCP

connection system known as "SYN-cookies". –  Steve Gibson implemented a different solution which was

dubbed "GENESIS". •  Both of these DoS solutions arrange to stay compatible

with all important aspects of the standard TCP protocol. •  They operate by eliminating all allocation of server

resources after receiving a SYN packet and generating a SYN/ACK reply.


Bandwidth Consumption

•  Unlike a DoS-style attack, in which a low rate of fraudulent SYN packets consumes a vulnerable server's TCP connection resources, a bandwidth attack creates a brute force flood of malicious "nonsense" Internet traffic to swamp and consume the target server's or its network connection bandwidth.

•  This malicious packet flood competes with, and overwhelms, the network's valid traffic so that "good packets" have a low likelihood of surviving the flood.

•  The network's servers become cut off from the rest of the Internet, and their service is denied.


Internet Aggregation Router


•  The computers and/or networks shown to the right are serviced by the central "aggregation router." –  This router is placed at the "customer edge" of the Internet service

provider's network to collect and disperse traffic from many smaller customer networks.

–  Thus, many lower-bandwidth Internet connections are "aggregated" into a single high-bandwidth Internet connection for routing to the public Internet.

•  During normal operation, the traffic coming from the Internet down the "Big Pipe" will be sorted and forwarded to the router's various lower bandwidth client networks.

•  When the Big Pipe is filled by a high volume of packets bound for just one of the router's client networks. –  Faced with the task of squeezing too many packets from the big pipe

into the much smaller pipe, the router has no choice but to deliberately drop and discard a large percentage of the packets struggling to get through the smaller pipe.

–  Valid Internet clients, trying to access the resources on the far side of the smaller pipe, will resend their dropped packets. But these clients will generally give up after a few attempts. The victim's network is effectively blasted off the Internet by the flood of malicious traffic.


DoS versus DDoS


Distributed zombie traffic aggregation •  As the

individual streams of traffic move across the Internet from their many separate sources, they are combined by the Internet's routers to form a single massive flood . . .


SYN FLOODING INTERNET ROUTERS (Bandwidth Attack)

•  TCP servers were sending SYN/ACK packets to grc.com in the well-meaning belief that WE wanted to open a TCP connection with their built-in BGP servers.


Blocking the reflection attack

•  Gibson Research reaction to DRDoS: •  First, block any inbound traffic originating from

the BGP service port 179. –  Since the malicious hacker's SYN packets were aimed at

the intermediate routers' port 179, any reflected packets would be originating from that port.

–  Verio's engineer added a "filter" to the aggregation router servicing our Internet connection to block (drop) any packets inbound to us from port 179.

–  The flood of packets coming in from port 179 immediately stopped.

•  But we did NOT return to the Internet.


Secondary Flooding

•  A fresh packet capture revealed that Gibson Research was now being actively flooded by an entirely new set of Internet servers.

•  Since this second set of traffic appeared only after the port 179 router traffic had been blocked, it appeared that this second wave of reflection traffic had been unable to compete with the routers' flood. –  (You know you're in trouble when packet floods are competing

to flood you.) •  With the routers traffic blocked, we were now being flooded

by a SYN/ACK packets pouring in from ports 22 (Secure Shell), 23 (Telnet), 53 (DNS), and 80 (HTTP/Web).

•  There were also some packets coming from port 4001 (a proxy server port) and 6668 (IRC chat).


Packet Path Diffusion

•  The big win for the attacker is the extreme degree of "packet path diffusion" made possible when attack traffic can be bounced off a large number of intermediate TCP servers. This diagram is a representation of the path of traffic between a single attacker and victim.


Packet Path Diffusion with Reflectors •  The addition of innocent reflection servers

substantially transforms the attack.


Packet Path Diffusion with Reflectors

•  Upon leaving an attacking machine, the malicious SYN packets immediately fan out.

•  No longer aimed at the victim, these attack packets are instead being sent to widely spread TCP servers.

•  As we know, these servers are potentially located throughout the entire Internet.

•  Just a few "router hops" away from the attacker, the heavy packet flow will no longer be discernible because it will have diffused into neighboring routers rather than following a single path.


Defending against DRDoS •  Routers can be configured to filter (drop) packets destined

for a particular address or group of addresses. –  Router port 179 can be blocked as a reflector.

•  Since reflected SYN/ACK packets must bounce off a TCP server, and since almost all common service ports fall within the range from 1 to 1023, blocking all inbound packets originating from the service port range will block most of the traffic being innocently generated by reflection servers. Holes in the reflection filter may have to be created to allow legitimate traffic to pass through.

•  Block all inbound packets to high-numbered service ports. This has the undesirable effect that legitimate clients of the protected server could be generating connections from those blocked ports.


Defending against DRDoS •  End-user client machines cannot be protected. Most client

machines spend all of their time connecting to remote servers all over the Internet and require access to data coming back from many of the most common low-numbered service ports.

•  Servers could be programmed to recognize a SYN source IP address that never completes its connections and has an anomalous number of failed connections occurring within a period of time. The target of the reflection attack could be easily determined and the SYN/ACK response could be temporarily turned off.

•  ISPs could prevent the transmission of fraudulently addressed packets (packets with an IP source address not within their source address space) from within their controlled networks. This control mechanism alone would have a major dampening effect on this type of attack.


EC-Council Scanning Methodology 1/2 1.  Check for live systems.

–  Something as simple as a ping can provide this. –  This gives you a list of what’s actually alive on your

network subnet. 2.  Check for open ports.

–  Once you know which IP addresses are active, find what ports they’re listening on.

3.  Scan beyond IDS. –  Sometimes your scanning efforts need to be altered to

avoid those pesky intrusion detection systems. 4.  Perform banner grabbing.

–  Banner grabbing and OS fingerprinting will tell you what operating system is on the machines and which services they are running.


EC-Council Scanning Methodology 2/2

5.  Scan for vulnerabilities. –  Perform a more focused look at the vulnerabilities

these machines haven’t been patched for yet. 6.  Draw network diagrams.

–  A good network diagram will display all the logical and physical pathways to targets you might like.

7.  Prepare proxies. –  This obscures your efforts to keep you hidden.


ICMP

•  Internet Control Message Protocol (IP management)

•  Error handling and debugging protocol •  Not authenticated! •  Encapsulated inside an IP header •  Message types:

–  40 assigned –  255 possible –  about two dozen in use

•  References: –  Network Intrusion Detection, Chapter 4 –  http://www.iana.org/assignments/icmp-parameters


Basic ICMP Message Types

•  0 Echo Reply •  3 Destination Unreachable •  4 Source Quench •  5 Redirect •  8 Echo •  11 Time Exceeded •  12 Parameter Problem •  13 Timestamp •  14 Timestamp Reply •  15 Information Request •  16 Information Reply


ICMP Echo

•  a.k.a. Ping •  Destination replies (using the "source IP" of the

original message) with "echo reply" •  Data received in the echo message must be

returned in the echo reply •  How can this be abused?


Scans and Recon

•  If an attacker wants to map your network, the trivial way is to ping all the IP addresses in your network...

•  Therefore, if you allow pings, your network is exposed.


Port Scanning

•  Nmap through TOR


Types of Port Scans

•  Consider nmap and TOR combined •  Full connect

–  Also known as a TCP connect or full open scan, this runs through a full connection (three-way handshake) on all ports, tearing it down with an RST at the end.

–  It is the easiest to detect but it’s possibly the most reliable. –  Open ports will respond with a SYN/ACK, and closed ports will respond with an

RST. •  Stealth

–  Also known as a half-open scan (and also as a SYN scan). –  Only SYN packets are sent to ports (no completion of the three-way

handshake ever takes place). –  Responses from ports are the same as they are for a TCP connect scan. –  This technique is useful in hiding your scanning efforts, possibly

bypassing firewalls and monitoring efforts by hiding as normal traffic (it simply doesn’t get noticed because there is no connection to notice).


Types of Port Scans •  Inverse TCP flag

–  This scan uses the FIN, URG, or PSH flag (or, in one version, no flags at all) to poke at system ports.

–  If the port is open, there will be no response at all. –  If the port is closed, an RST/ACK will be sent in

response. •  XMAS

–  A Christmas scan is so named because all flags are turned on, so the packet is “lit up” like a Christmas tree.

–  Port responses are the same as with an inverse TCP scan.

–  XMAS scans do not work against Microsoft Windows machines due Microsoft’s TCP/IP stack implementation

•  (Microsoft TCP/IP is not RFC 793 compliant).


Types of Port Scans •  ACK flag probe

–  According to ECC, there are two versions of this scan, both of which use the same method: the attacker sends the ACK flag and looks at the return header (TTL or Window fields) to determine the port status.

–  In the TTL version, if the TTL of the returned RST packet is less than 64, the port is open.

–  In the Window version, if the WINDOW size on the RST packet has anything other than zero, the port is open.

•  IDLE –  This uses a spoofed IP address (an idle zombie system)

to elicit port responses during a scan. –  Designed for stealth, this scan uses a SYN flag and

monitors responses as with a SYN scan.


Evading IDS

•  Packet Fragmentation •  IP Address Spoofing •  Proxies •  TOR •  IP Address Spoofing


Enumeration

•  Banner Grabbing –  Active and Passive

•  Active sends packets to open ports and returns results •  Passive involved reading error messages, sniffing network

traffic or looking at page extensions

•  NetBIOS Enumeration –  NetBIOS name is a 16 character ASCII string –  Examples: WORKGROUP, Napoleon, Black_Knight

•  SNMP Enumeration –  Old versions of SNMP send community strings in the

clear •  Other types of enumeration

–  LDAP, NTP and SMTP


Summary – Section Objectives •  Understand EC-Council’s scanning methodology •  Describe scan types and the objectives of scanning •  Understand the use of various scanning and

enumeration tools •  Describe TCP communication (three-way handshake

and flag types) •  Understand basic subnetting •  Understand enumeration and enumeration

techniques •  Describe vulnerability scanning concepts and

actions •  Describe steps involved in performing enumeration

J. A. Drew Hamilton, Jr., Ph.D. - Mississippi State...

Documents

Transcript of J. A. Drew Hamilton, Jr., Ph.D. - Mississippi State...