J. A. Drew Hamilton, Jr., Ph.D. - Mississippi State...
Transcript of J. A. Drew Hamilton, Jr., Ph.D. - Mississippi State...
Mississippi State University Center for Cyber Innovation 1
J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation
Professor, Computer Science & Engineering
CCI Post Office Box 9627 Mississippi State, MS 39762
Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]
Mississippi State University Center for Cyber Innovation 2
Section Objectives • Understand EC-Council’s scanning methodology • Describe scan types and the objectives of scanning • Understand the use of various scanning and
enumeration tools • Describe TCP communication (three-way handshake
and flag types) • Understand basic subnetting • Understand enumeration and enumeration
techniques • Describe vulnerability scanning concepts and
actions • Describe steps involved in performing enumeration
Mississippi State University Center for Cyber Innovation 3
Scanning and Enumeration
Dr. Drew Hamilton Reference: Dr. John Copeland Reference: Dr. Pascal Meunier
Reference: Matt Walker All-in-One CEH Certified Ethical Hacker
Mississippi State University Center for Cyber Innovation 4
ApplicationLayer(SHTTP)
Transport Layer(TCP,UDP)
Network Layer (IP)
E'net DataLink Layer
EthernetPhys. Layer
Network Layer
E'net DataLink Layer
E'net Phys.Layer
Network Layer
Process Process
RouterBuffers Packets thatneed to be forwarded(based on IP address).
ApplicationLayer(SHTTP)
Transport Layer(TCP,UDP)
Network Layer (IP)
Token RingData-Link Layer
Token RingPhys. Layer
Token RingData Link Layer
Token RingPhys. Layer
TCP/IP Fundamentals
Mississippi State University Center for Cyber Innovation 5
Router Network - Table Set Up
In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to Algorithm in the Router).
4 E
3 A
5
C
D
B
1
7
6
2
Station( on a LAN) A
1 Local Connection
Trunk or Long-Haul Router
A to D
Mississippi State University Center for Cyber Innovation 6
Optimal Paths From Router 1
(or To Router 1)
Define Router 1's Sink Tree
4 E
3 A
5
C
D
B
1
7
6
2
Station A
1
Station Station
Local Connection
Trunk or Long-Haul Router
Mississippi State University Center for Cyber Innovation 7
Application Layer (HTTP)
Transport Layer(TCP,UDP)
Network Layer (IP)
E'net DataLink Layer
EthernetPhys. Layer
Network Layer
E'net DataLink Layer
E'net Phys.Layer
Network Layer
Web Server Browser
RouterBuffers Packets thatneed to be forwarded(based on IP address).
Application Layer (HTTP)
Transport Layer(TCP,UDP)
Network Layer (IP)
Token RingData-Link Layer
Token RingPhys. Layer
IP Address 130.207.22.5
IP Address 24.88.15.22
Port 80 Port 31337
Segment No. Segment No.
Token RingData Link Layer
Token RingPhys. Layer
TCP/IP Example
Mississippi State University Center for Cyber Innovation 8
Connection & Connectionless Comm • Connection = Transmission Control Protocol
– The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite.
– It originated in the initial network implementation in which it complemented the Internet Protocol (IP).
– Therefore, the entire suite is commonly referred to as TCP/IP.
• Connectionless = User Datagram Protocol – UDP (User Datagram Protocol) is an alternative
communications protocol to Transmission Control Protocol (TCP) used primarily for establishing low-latency and loss tolerating connections between applications on the Internet
– “Fire and forget” – Simpler, faster and less reliable.
Mississippi State University Center for Cyber Innovation 9
TCP versus UDP
Mississippi State University Center for Cyber Innovation 10
UDP Datagram Structure
– “Fire and forget” – Simpler, faster and less reliable.
Mississippi State University Center for Cyber Innovation 11
TCP Segment Structure
Mississippi State University Center for Cyber Innovation 12
TCP Flags • SYN (Synchronize)
– This flag is set during initial communication establishment. – It indicates negotiation of parameters and sequence numbers.
• ACK (Acknowledgment) – This flag is set as an acknowledgment to SYN flags. – This flag is set on all segments after the initial SYN flag.
• RST (Reset) – This flag forces a termination of communications (both directions).
• FIN (Finish) – This flag signifies an ordered close to communications.
• PSH (Push) – This flag forces the delivery of data without concern for any buffering. In
other words, the receiving device need not wait for the buffer to fill up before processing the data.
• URG (Urgent) – Indicates the data inside is being sent out of band. – Cancelling a message mid-stream is one example.
Mississippi State University Center for Cyber Innovation 13 TCP 13
Transport Layer
Mississippi State University Center for Cyber Innovation 14 TCP 14
Transport Layer
Process-to-process delivery
Mississippi State University Center for Cyber Innovation 15 TCP 15
Transport Layer Addressing
Addresses • Data link layer à MAC address • Network layer à IP address • Transport layer à Port number (choose among multiple processes running on destination host)
Mississippi State University Center for Cyber Innovation 16 TCP 16
Port Numbers
• Port numbers are 16-bit integers (0 à 65,535) Ø Servers use well know ports, 0-1023 are privileged Ø Clients use ephemeral (short-lived) ports
• Internet Assigned Numbers Authority (IANA) maintains a list of port number assignment
Ø Well-known ports (0-1023) à controlled and assigned by IANA Ø Registered ports (1024-49151) à IANA registers and lists use of ports as a convenience (49151 is ¾ of 65536) Ø Dynamic ports (49152-65535) à ephemeral ports
Ø For well-known port numbers, see /etc/services on a UNIX or Linux machine
Mississippi State University Center for Cyber Innovation 17
Common Port Numbers
Mississippi State University Center for Cyber Innovation 18
Some tools to experiment with • CurrPort (Windows) • Netstat
Mississippi State University Center for Cyber Innovation 19
IP Addresses
• Structure of an IP address • Subnetting • CIDR • IP Version 6 addresses
Mississippi State University Center for Cyber Innovation 20
IP Addresses
Application dataTCP HeaderEthernet Header Ethernet Trailer
Ethernet frame
IP Header
version(4 bits)
headerlength
Type of Service/TOS(8 bits)
Total Length (in bytes)(16 bits)
Identification (16 bits) flags(3 bits) Fragment Offset (13 bits)
Source IP address (32 bits)
Destination IP address (32 bits)
TTL Time-to-Live(8 bits)
Protocol(8 bits) Header Checksum (16 bits)
32 bits
Mississippi State University Center for Cyber Innovation 21
IP Addresses
Application dataTCP HeaderEthernet Header Ethernet Trailer
Ethernet frame
IP Header
0x4 0x5 0x00 4410
9d08 0102 00000000000002
128.143.137.144
128.143.71.21
12810 0x06 8bff
32 bits
Mississippi State University Center for Cyber Innovation 22
What is an IP Address?
• An IP address is a unique global address for a network interface
• An IP address: – is a 32 bit long identifier – encodes a network number (network prefix) – and a host number
Mississippi State University Center for Cyber Innovation 23
Dotted Decimal Notation
• IP addresses are written in a so-called dotted decimal notation
• Each byte is identified by a decimal number in the range [0..255]:
• Example:
10001111 10000000 10001001 10010000
1st Byte
= 128
2nd Byte
= 143
3rd Byte
= 137
4th Byte
= 144
128.143.137.144
Mississippi State University Center for Cyber Innovation 24
• The network prefix identifies a network and the host number identifies a specific host (actually, interface on the network).
• How do we know how long the network prefix is?
– The network prefix used to be implicitly defined (class-based addressing, A,B,C,D…)
– The network prefix now is flexible and is indicated by a prefix/netmask (classless).
Network prefix and Host number
network prefix host number
Mississippi State University Center for Cyber Innovation 25
Example: argon.cs.virginia.edu • IP address is 128.143.137.144
– Is that enough info to route datagram??? -> No, need netmask or prefix at every IP device (host and router)
• Using Prefix notation IP address is: 128.143.137.144/16 – Network prefix is 16 bits long
• Network mask is: 255.255.0.0 or hex format: ffff0000 -----> Network id (IP address AND Netmask) is: 128.143.0.0
-----> Host number (IP address AND inverse of Netmask) is: 137.144
Example
128.143 137.144
Mississippi State University Center for Cyber Innovation 26
The old way: Classful IP Adresses
• When Internet addresses were standardized (early 1980s), the Internet address space was divided up into classes: – Class A: Network prefix is 8 bits long – Class B: Network prefix is 16 bits long – Class C: Network prefix is 24 bits long
• Each IP address contained a key which identifies the class: – Class A: IP address starts with “0” – Class B: IP address starts with “10” – Class C: IP address starts with “110”
Mississippi State University Center for Cyber Innovation 27
The old way: Internet Address Classes
Class C network id host11 0
Network Prefix24 bits
Host Number8 bits
bit # 0 1 23 242 313
Class B 1 network id hostbit # 0 1 15 162
Network Prefix16 bits
Host Number16 bits
031
Class A 0Network Prefix
8 bits
bit # 0 1 7 8
Host Number24 bits
31
Mississippi State University Center for Cyber Innovation 28
Class D multicast group id11 1bit # 0 1 2 313
04
Class E (reserved for future use)11 1bit # 0 1 2 313
14
05
The old way: Internet Address Classes
• We will learn about multicast addresses later in this course.
Mississippi State University Center for Cyber Innovation 29
Problems with Classful IP Addresses • The original classful address scheme had a
number of problems
Problem 1. Too few network addresses for large networks – Class A and Class B addresses are gone
Problem 2. Two-layer hierarchy is not appropriate for large networks with Class A and Class B addresses. – Fix #1: Subnetting
Mississippi State University Center for Cyber Innovation 30
Problems with Classful IP Addresses
Problem 3. Inflexible. Assume a company requires 2,000 addresses – Class A and B addresses are overkill – Class C address is insufficient (requires 8 Class C addresses)
– Fix #2: Classless Interdomain Routing (CIDR)
Mississippi State University Center for Cyber Innovation 31
Problems with Classful IP Addresses
Problem 4: Exploding Routing Tables: Routing on the backbone Internet needs to have an entry for each network address. In 1993, the size of the routing tables started to outgrow the capacity of routers.
– Fix #2: Classless Interdomain Routing (CIDR)
Mississippi State University Center for Cyber Innovation 32
Problems with Classful IP Addresses
Problem 5. The Internet is going to outgrow the 32-bit addresses
– Fix #3: IP Version 6
Mississippi State University Center for Cyber Innovation 33
Subnetting
Subnetting • Problem: Organizations
have multiple networks which are independently managed – Solution 1: Allocate an
address for each network • Difficult to manage • From the outside of
the organization, each network must be addressable ie have an identifiable address.
– Solution 2: Add another level of hierarchy to the IP addressing structure
University Network
Medical School
Library
Engineering School
Mississippi State University Center for Cyber Innovation 34
• Split the host number portion of an IP address into a subnet number and a (smaller) host number.
• Result is a 3-layer hierarchy
• Then: • Subnets can be freely assigned within the organization • Internally, subnets are treated as separate networks • Subnet structure is not visible outside the organization
Basic Idea of Subnetting
network prefix host number
subnet number network prefix host number
extended network prefix
Mississippi State University Center for Cyber Innovation 35
• Routers and hosts use an extended network prefix (subnet mask) to identify the start of the host numbers
* There are different ways of subnetting. Commonly used netmasks
for university networks with /16 prefix (Class B) are 255.255.255.0 and 255.255.0.0
Class B network host
16 bits
withsubnetting
host
Subnetmask(255.255.255.0)
network subnet
Network Prefix (16 bits)
1
1111111111111111111111100000000
0
10Extended Network Prefix (24 bits)
Subnet Masks
Mississippi State University Center for Cyber Innovation 36
Internet
Router
Subnet 1
Subnet 2
R
Subnet 3
Subnet 4
IP Network: 128.49.0.0/16
Subnet 128.49.0.0/24
Subnet 128.49.1.0/25
Subnet 128.49.1.128/25
Subnet 128.49.3.0/24
Subnetwork: 128.49.1.0/24
2 bytes available for subnetting
34=00000000
132=10000000
Example of a Subnetting Plan
Mississippi State University Center for Cyber Innovation 37
Advantages of Subnetting • With subnetting, IP addresses use a 3-layer
hierarchy: » Network » Subnet » Host
• Improves efficiency of IP addresses by not consuming an entire address space for each physical network.
• Reduces router complexity. Since external routers do not know about subnetting, the complexity of routing tables at external routers is reduced.
• Note: Length of the subnet mask need not be identical at all subnetworks.
Mississippi State University Center for Cyber Innovation 38
Subnetting Example
Mississippi State University Center for Cyber Innovation 39
Network without subnets
128.143.0.0/16
Mississippi State University Center for Cyber Innovation 40
Same Network with Subnets
Mississippi State University Center for Cyber Innovation 41
Same network w/ different subnetmasks
128.143.137.0 Subnet
Mississippi State University Center for Cyber Innovation 42
Subnetting Example
• An organization with 4 departements has the following IP address space: 10.2.22.0/23. As the systems manager, you are required to create subnets to accommodate the IT needs of 4 departments. The subnets have to support to 200, 61, 55, and 41 hosts respectively. What are the 4 subnet network numbers?
• Solution: – 10.2.22.0/24 (256 addresses > 200) – 10.2.23.0/26 (64 addresses >61) – 10.2.23.64/26 (64 addresses > 55) – 10.2.23.128/26 (64 addresses > 41)
Mississippi State University Center for Cyber Innovation 43
CIDR - Classless Interdomain Routing
• IP backbone routers have one routing table entry for each network address: – With subnetting, a backbone router only needs to know
one entry for each network – This is acceptable for Class A and Class B networks
• 27 = 128 Class A networks • 214 = 16,384 Class B networks
– But this is not acceptable for Class C networks • 221 = 2,097,152 Class C networks
• In 1993, the size of the routing tables started to outgrow the capacity of routers
• Consequence: The Class-based assignment of IP addresses had to be abandoned
Mississippi State University Center for Cyber Innovation 44
CIDR - Classless Interdomain Routing
• Goals: – Restructure IP address assignments to increase efficiency – Hierarchical routing aggregation to minimize route table entries
Key Concept: The length of the network id (prefix) in IP
addresses is arbitrary/flexible and is defined by the network hierarchy.
• Consequence: – Routers use the IP address and the length of the prefix for
forwarding. – All advertised IP addresses must include a prefix
Mississippi State University Center for Cyber Innovation 45
CIDR Example
• CIDR notation of a network address: 192.0.2.0/18
• "18" says that the first 18 bits are the network part of the address
• The network part is called the network prefix • Example:
– Assume that a site requires an IP network domain that can support 1000 IP host addresses
– With CIDR, the network is assigned a continuous block of 1024 = 210 (>1000) addresses with a 32-10 = 22-bit long prefix
Mississippi State University Center for Cyber Innovation 46
CIDR: Prefix Size vs. Host Space
CIDR Block Prefix # of Host Addresses /27 32 hosts /26 64 hosts /25 128 hosts /24 256 hosts /23 512 hosts /22 1,024 hosts /21 2,048 hosts /20 4,096 hosts /19 8,192 hosts /18 16,384 hosts /17 32,768 hosts /16 65,536 hosts /15 131,072 hosts /14 262,144 hosts /13 524,288 hosts
Mississippi State University Center for Cyber Innovation 47
CIDR and Address Assignments
• Backbone ISPs obtain large blocks of IP address space and then reallocate portions of their address blocks to their customers.
Example: • Assume that an ISP owns the address block
206.0.64.0/18, which represents 16,384 (232-18=214) IP host addresses
• Suppose a client requires 800 host addresses Ø 512=29<800<1024=210 -> 32-10 = 22, Ø Assigning a /22 block, i.e., 206.0.68.0/22 -> gives a block
of 1,024 (210) IP addresses to client.
Mississippi State University Center for Cyber Innovation 48
Subnetting and Classless Inter Domain Routing (CIDR)
• Subnetting is done by allocating some of the leading bits of the host number to indicate a subnet number. � With subnetting, the network prefix and the subnet
number make up an extended network prefix. � The extended prefix can be expressed in terms of a
subnetmask or, using CIDR notation, by adding the length of the extended subnetmask after the IP address.
� For example, for Argon, the first byte of the host number (the third byte of the IP address) is used to denote the subnet number. � 128.143.0.0/16 is the IP address of the network (network
prefix /16), � 128.143.137.0/24 is the IP address of the subnet, � 128.143.137.144/32 is the IP address of the host, and � 255.255.255.0 is the subnetmask of the host (or subnet
prefix /24))
Mississippi State University Center for Cyber Innovation 49
CIDR and Routing Information
206.0.64.0/18 204.188.0.0/15 209.88.232.0/21 Internet
Backbone
ISP X owns: Company X : 206.0.68.0/22
ISP y : 209.88.237.0/24
Organization z1 : 209.88.237.192/26
Organization z2 : 209.88.237.0/26
Mississippi State University Center for Cyber Innovation 50
CIDR and Routing Information
206.0.64.0/18 204.188.0.0/15 209.88.232.0/21 Internet
Backbone
ISP K owns: Company X : 206.0.68.0/22
ISP Y : 209.88.237.0/24
Organization Z1 : 209.88.237.192/26
Organization Z2 : 209.88.237.0/26
Backbone sends everything which matches the prefixes 206.0.64.0/18, 204.188.0.0/15, 209.88.232.0/21 to ISP K.
ISP K sends everything which matches the prefix: 206.0.68.0/22 to Company X, 209.88.237.0/24 to ISP Y
Backbone routers do not know anything about Company X, ISP Y, or Organizations Z1, Z2.
ISP K does not know about Organizations Z1, Z2. ISP Y sends everything which matches
the prefix: 209.88.237.192/26 to Organizations Z1 209.88.237.0/26 to Organizations Z2
Mississippi State University Center for Cyber Innovation 51
• Aggregation of routing table entries: – 128.143.0.0/16 and 128.142.0.0/16 can be represented as
128.142.0.0/15 at a router. • 143 = 128.10001111.0.0 142 = 128.10001110.0.0
• Longest prefix match: Routing table lookup finds the routing entry that matches the longest prefix – Why????
E.g., What is the outgoing interface for destination IP address: 128.143.137.0?
Prefix Interface/outgoing link
128.143.128.0/17 interface #1 128.128.0.0/9 interface #2
128.0.0.0/4 interface #5
Routing table
CIDR and Routing
Mississippi State University Center for Cyber Innovation 52
IPv6 - IP Version 6
• IP Version 6 – Is the successor to the currently used IPv4 – Specification completed in 1994 – Makes improvements to IPv4 (no revolutionary changes)
• One (not the only !) feature of IPv6 is a significant increase in size of the IP address to 128 bits (16 bytes)
• IPv6 will solve – for the foreseeable future – the problems with IP addressing
Mississippi State University Center for Cyber Innovation 53
IPv6 Header
Application dataTCP HeaderEthernet Header Ethernet Trailer
Ethernet frame
IPv6 Header
Mississippi State University Center for Cyber Innovation 54
IPv6 vs. IPv4: Address Comparison
• IPv4 has a maximum of 232 ≈ 4 billion addresses
• IPv6 has a maximum of 2128 = (232)4 ≈ 4 billion x 4 billion x 4 billion x 4 billion
addresses
Mississippi State University Center for Cyber Innovation 55
Notation of IPv6 addresses
• Convention: The 128-bit IPv6 address is written as eight 16-bit integers (using hexadecimal digits for each integer)
CEDF:BP76:3245:4464:FACE:2E50:3025:DF12 • Short notation: • Abbreviations of leading zeroes:
CEDF:BP76:0000:0000:009E:0000:3025:DF12 à CEDF:BP76:0:0:9E :0:3025:DF12
• “:0000:0000” can be written as “::” CEDF:BP76:0:0:FACE:0:3025:DF12 à CEDF:BP76::FACE:0:3025:DF12
• IPv6 addresses derived from IPv4 addresses have different formats. Convention allows to use IPv4 notation for the last 32 bits. 128.143.137.144 -> 0:0:0:0:0:ffff:808F:8990 or 128.143.137.144 -> 2002:808f:8990:0:0:0:0:0 (called 6to4 address)
Mississippi State University Center for Cyber Innovation 56
IPv6 Provider-Based Addresses
• The first IPv6 addresses will be allocated to a provider-based plan
• Type: Set to “010” for provider-based addresses • Registry: identifies the agency that registered the
address The following fields have a variable length (recommeded length
in “()”) • Provider: Id of Internet access provider (16 bits) • Subscriber: Id of the organization at provider (24
bits) • Subnetwork: Id of subnet within organization (32
bits) • Interface: identifies an interface at a node (48 bits)
Registry ID
Provider ID 010 Subscriber
ID Interface
ID Subnetwork
ID
Mississippi State University Center for Cyber Innovation 57
More on IPv6 Addresses
• The provider-based addresses have a similar flavor as CIDR addresses
• IPv6 provides address formats for: – Unicast – identifies a single interface – Multicast – identifies a group. Datagrams sent to a
multicast address are sent to all members of the group – Anycast – identifies a group. Datagrams sent to an
anycast address are sent to one of the members in the group.
Mississippi State University Center for Cyber Innovation 58 TCP 58
Socket Addressing
• Process-to-process delivery needs two identifiers Ø IP address and Port number Ø Combination of IP address and port number is called a socket address (a socket is a communication endpoint) Ø Client socket address uniquely identifies client process Ø Server socket address uniquely identifies server process
• Transport-layer protocol needs a pair of socket addresses Ø Client socket address Ø Server socket address Ø For example, socket pair for a TCP connection is a 4-tuple
1. local IP address 2. local port 3. foreign IP address 4. foreign port
Mississippi State University Center for Cyber Innovation 59
Provides an abstraction for interprocess communication
Why Sockets?
Mississippi State University Center for Cyber Innovation 60
• The services provided (often by the operating system) that provide the interface between application and protocol software.
Application
Network API
Protocol A Protocol B Protocol C
Socket Definition
Mississippi State University Center for Cyber Innovation 61
Functions
– Define an “end- point” for communication
– Initiate and accept a connection – Send and receive data – Terminate a connection gracefully
Examples
n File transfer apps (FTP), Web browsers n (HTTP), Email (SMTP/ POP3), etc…
Mississippi State University Center for Cyber Innovation 62
• Two different types of sockets : – stream vs. datagram
• Stream socket :( a. k. a. connection- oriented socket) – It provides reliable, connected networking service – Error free; no out- of- order packets (uses TCP) – applications: telnet/ ssh, http, …
• Datagram socket :( a. k. a. connectionless socket) – It provides unreliable, best- effort networking service – Packets may be lost; may arrive out of order (uses UDP) – applications: streaming audio/ video (realplayer), …
Types of Sockets
Mississippi State University Center for Cyber Innovation 63
Client Server
Addressing
Mississippi State University Center for Cyber Innovation 64
• Like apartments and mailboxes – You are the application – Your apartment building address is the address – Your mailbox is the port – The post-office is the network – The socket is the key that gives you access to the right mailbox
Addresses, Ports and Sockets
Mississippi State University Center for Cyber Innovation 65
Client – high level view
Create a socket
Setup the server address
Connect to the server
Read/write data
Shutdown connection
Mississippi State University Center for Cyber Innovation 66
Create a socket
Bind the socket
Listen for connections
Accept new client connections
Read/write to client connections
Shutdown connection
Server – high level view
Mississippi State University Center for Cyber Innovation 67
Sending / Receiving Data
• With a connection (SOCK_STREAM): – int count = send(sock, &buf, len, flags);
• count: # bytes transmitted (-1 if error) • buf: char[], buffer to be transmitted • len: integer, length of buffer (in bytes) to transmit • flags: integer, special options, usually just 0
– int count = recv(sock, &buf, len, flags); • count: # bytes received (-1 if error) • buf: void[], stores received bytes • len: # bytes received • flags: integer, special options, usually just 0
– Calls are blocking [returns only after data is sent (to socket buf) / received]
Mississippi State University Center for Cyber Innovation 68
socket()
bind()
listen()
accept()
read()
write()
read()
close()
Socket()
connect()
write()
read()
close()
TCP Client
TCP Server
Well-known port
blocks until connection from client
process request
Connection establishment Data(request)
Data(reply)
End-of-file notification
Client – Server Comms
Mississippi State University Center for Cyber Innovation 69
• Many functions block – accept(), connect(), – All recv()
• For simple programs this is fine • What about complex connection routines
– Multiple connections – Simultaneous sends and receives – Simultaneously doing non-networking processing
Dealing with calls
Mississippi State University Center for Cyber Innovation 70
IP Security Overview • IP Packets have no inherent security
– Relatively easy to • forge contents of IP packets • modify contents of IP packets • inspect the contents of IP packets in transit
• Therefore, there is no guarantee that IP datagrams received: – are from the claimed sender (source address in the IP
header) – contain the original data that the sender placed in them – were not inspected by a third party while the packet was
being sent from source to destination
Mississippi State University Center for Cyber Innovation 71
TCP Review
• The establishment of a TCP connection typically requires the exchange of three Internet packets between two machines in an interchange known as the TCP three-way handshake. Here's how it works: – SYN: A TCP client (such as a web browser, ftp client,
etc.) initiates a connection with a TCP server by sending a SYN packet to the server.
– SYN/ACK: When a connection-requesting SYN packet is received at an ‘open’ TCP service port, the server's operating system replies with a connection-accepting SYN/ACK packet.
– ACK: When the client receives the server's acknowledging SYN/ACK packet for the pending connection, it replies with an ACK packet.
Mississippi State University Center for Cyber Innovation 72
Bandwidth Consumption DoS
• Traditional SYN flooding DoS attacks are either one-on-one – (one machine sending out enough SYN packets to the
target machine to effectively choke off access to the other machine)
• or many-on-one – (SYN flooding ‘zombie’ programs loaded by the
attacker into compromised machines and commanded by the attacker to send huge volumes of SYN commands to the target machine).
Mississippi State University Center for Cyber Innovation 73
Review of SYN Packets
SYN: A TCP client (such as a web browser, ftp client, etc.) initiates connection with a TCP server by sending a "SYN" packet to the server.
Mississippi State University Center for Cyber Innovation 74
Review of SYN Packets SYN/ACK: When a connection-requesting SYN packet is
received at an "open“ TCP service port, the server's operating system replies with a connection accepting the "SYN/ACK" packet.
ACK: When the client receives the server's acknowledging SYN/ACK packet for the pending connection, it replies with an ACK packet.
Mississippi State University Center for Cyber Innovation 75
SYN Packet with Deliberately Spoofed Return Address
Through the use of "Raw Sockets", the packet's "return address" (source IP) can be overridden and falsified. When a SYN packet with a spoofed source IP arrives at the server, it appears as any other valid connection request.
Mississippi State University Center for Cyber Innovation 76
Raw Socket Review
• Data is exchanged across the Internet by either establishing a bi-directional "TCP Connection" between two machines, or by sending a uni-directional "UDP Datagram" message from one machine to another. Both of these data transferring operations employ standard sockets.
Mississippi State University Center for Cyber Innovation 77
Raw Sockets Review • Smooth and orderly traffic flow across the Internet requires
machines to inform each other of various non-data events such as closed ports, network congestion, unreachable IP addresses, etc. The ICMP (Internet Control Message Protocol) was created to fill this need.
• The operating system's built-in TCP/IP stack automatically and transparently generates and receives most of these "Internet plumbing" ICMP messages on behalf of the machine. To facilitate the creation of Internet plumbing applications, such as "ping" and "traceroute", which also employ ICMP messages, the Berkeley designers allowed programmers to manually generate and receive their own ICMP, and other, message traffic. As shown in the diagram, the Berkeley Sockets system provides this power through the use of a so-called "Raw Socket".
• A Raw Socket short-circuits the TCP/IP stack to open a "backdoor" directly into the underlying network data transport.
– This provides full and direct "packet level" Internet access to any Unix sockets programmer.
Mississippi State University Center for Cyber Innovation 78
SYN Packet: Destination Unknown • The server will allocate the required memory buffers,
record the information about the new connection, and send an answering SYN/ACK packet back to the client.
• But since the source IP contained in the SYN packet was deliberately falsified (it is often a random number), the SYN/ACK will be sent to a random IP address on the Internet.
• If the packet were addressed to a valid IP, the machine at that address might reply with a "RST" (reset) packet to let the server know that it did not request a connection.
• But with over 4 billion Internet addresses, the chances are that there will be no machine at the address and the packet will be discarded.
Mississippi State University Center for Cyber Innovation 79
Reflection SYN Flooding
• With a reflection SYN flooding attack the attacking machines send out huge volumes of SYN packets but with the IP source address pointing to the target machine.
• The TCP three-way handshake requires that any TCP based service that receives a SYN packet must respond with a SYN/ACK packet.
• The servers and routers that receive these fraudulent SYN packets dutifully send out the SYN/ACK packet to the machine pointed to by the SYN packets IP source address.
Mississippi State University Center for Cyber Innovation 80
SYN Reflector Capability • Consider this, any general-purpose TCP connection-
accepting Internet server could be used to reflect SYN packets.
• Here is a short list of the more popular TCP ports: – 22 (Secure Shell) – 23 (Telnet) – 53 (DNS) – 80 (HTTP/web) – And, virtually all of the Internet’s routers will accept TCP
connections on port 179. • To fully comprehend the potential of this new form of DoS
attack consider this: – it uses a fundamental Internet communications protocol; – machines that use this protocol exist in the millions; – it is extremely easy to generate a list of ‘SYN packet
reflectors’.
Mississippi State University Center for Cyber Innovation 81
Generating and Using the ‘SYN Packet Reflector’ List
• A simple script can be constructed to collect a large number of ‘SYN packet reflection’ capable routers and servers. – Well-known web server farms, such as eBay and Yahoo, are
easily available. – Simple port scans through high bandwidth IP regions will
reveal thousands, if not millions, of available TCP servers. – Readily available tools such as Trace Route provide the IP
address of every Internet router between the tracer and any other IP address.
• Given a large list of SYN packet reflectors, each SYN spoofing attack host can distribute its fraudulent SYN packets evenly across every reflector on its list.
Mississippi State University Center for Cyber Innovation 82
Load Balancing the Attack
• The big win for the attacker is that since the SYN flooding machine is distributing its packets across a huge number of SYN packet reflectors, none of the innocent reflectors will experience significant levels of incomplete TCP connections.
• And, since routers generally do not retain any record of previously routed packets, it makes tracking an attack from the victim to the attacker extremely difficult.
Mississippi State University Center for Cyber Innovation 83
Force Multipliers • As if ease of attack and ubiquity of reflectors were not bad
enough, it turns out that the reflectors will generate three or four times more SYN/ACK packets than the number of SYN packets they receive.
• Since the TCP connection that receives the SYN command is expecting to receive an ACK back from the machine it sent the SYN/ACK response to, it will send out three or four more SYN/ACK responses over the next few minutes.
• This TCP protocol feature essentially multiplies the number of malicious SYN/ACK packets being sent to the target machine by a factor of three or four.
• It also means that the flood of SYN/ACK packets will continue to disable the target site for a minute or two even after the attacker has called off the attack.
Mississippi State University Center for Cyber Innovation 84
Collateral Damage • The basic connection unit in the Internet is the router.
– Some routers serve only a small number of machines while other ‘aggregation routers’ collect and disperse large amounts of packet traffic from smaller networks.
• During normal operations, the traffic flowing through the aggregation routers can be sorted and forwarded to the router's various lower bandwidth client networks.
• Now imagine a SYN/ACK flood that is so large that it starts to degrade the performance of the aggregation router. – Having to process and disperse so many packets to the client
networks, the router will drop and discard a portion of the packets. – Legitimate Internet clients, trying to access resources that have
nothing to do with the target under attack, will also experience degraded, or complete denial of, service.
Mississippi State University Center for Cyber Innovation 85
Solutions to SYN Spoofing • Operating system vendors responded to spoofed SYN
packet DoS attacks by strengthening their TCP "protocol stacks" in various ways.
• Most of these were quantitative improvements to make their systems less vulnerable, but they did not eliminate the problem.
• Two complete, robust, and practical solutions were developed: – The Unix community invented a clever "stateless" TCP
connection system known as "SYN-cookies". – Steve Gibson implemented a different solution which was
dubbed "GENESIS". • Both of these DoS solutions arrange to stay compatible
with all important aspects of the standard TCP protocol. • They operate by eliminating all allocation of server
resources after receiving a SYN packet and generating a SYN/ACK reply.
Mississippi State University Center for Cyber Innovation 86
Bandwidth Consumption
• Unlike a DoS-style attack, in which a low rate of fraudulent SYN packets consumes a vulnerable server's TCP connection resources, a bandwidth attack creates a brute force flood of malicious "nonsense" Internet traffic to swamp and consume the target server's or its network connection bandwidth.
• This malicious packet flood competes with, and overwhelms, the network's valid traffic so that "good packets" have a low likelihood of surviving the flood.
• The network's servers become cut off from the rest of the Internet, and their service is denied.
Mississippi State University Center for Cyber Innovation 87
Internet Aggregation Router
Mississippi State University Center for Cyber Innovation 88
• The computers and/or networks shown to the right are serviced by the central "aggregation router." – This router is placed at the "customer edge" of the Internet service
provider's network to collect and disperse traffic from many smaller customer networks.
– Thus, many lower-bandwidth Internet connections are "aggregated" into a single high-bandwidth Internet connection for routing to the public Internet.
• During normal operation, the traffic coming from the Internet down the "Big Pipe" will be sorted and forwarded to the router's various lower bandwidth client networks.
• When the Big Pipe is filled by a high volume of packets bound for just one of the router's client networks. – Faced with the task of squeezing too many packets from the big pipe
into the much smaller pipe, the router has no choice but to deliberately drop and discard a large percentage of the packets struggling to get through the smaller pipe.
– Valid Internet clients, trying to access the resources on the far side of the smaller pipe, will resend their dropped packets. But these clients will generally give up after a few attempts. The victim's network is effectively blasted off the Internet by the flood of malicious traffic.
Mississippi State University Center for Cyber Innovation 89
DoS versus DDoS
Mississippi State University Center for Cyber Innovation 90
Distributed zombie traffic aggregation • As the
individual streams of traffic move across the Internet from their many separate sources, they are combined by the Internet's routers to form a single massive flood . . .
Mississippi State University Center for Cyber Innovation 91
SYN FLOODING INTERNET ROUTERS (Bandwidth Attack)
• TCP servers were sending SYN/ACK packets to grc.com in the well-meaning belief that WE wanted to open a TCP connection with their built-in BGP servers.
Mississippi State University Center for Cyber Innovation 92
Blocking the reflection attack
• Gibson Research reaction to DRDoS: • First, block any inbound traffic originating from
the BGP service port 179. – Since the malicious hacker's SYN packets were aimed at
the intermediate routers' port 179, any reflected packets would be originating from that port.
– Verio's engineer added a "filter" to the aggregation router servicing our Internet connection to block (drop) any packets inbound to us from port 179.
– The flood of packets coming in from port 179 immediately stopped.
• But we did NOT return to the Internet.
Mississippi State University Center for Cyber Innovation 93
Secondary Flooding
• A fresh packet capture revealed that Gibson Research was now being actively flooded by an entirely new set of Internet servers.
• Since this second set of traffic appeared only after the port 179 router traffic had been blocked, it appeared that this second wave of reflection traffic had been unable to compete with the routers' flood. – (You know you're in trouble when packet floods are competing
to flood you.) • With the routers traffic blocked, we were now being flooded
by a SYN/ACK packets pouring in from ports 22 (Secure Shell), 23 (Telnet), 53 (DNS), and 80 (HTTP/Web).
• There were also some packets coming from port 4001 (a proxy server port) and 6668 (IRC chat).
Mississippi State University Center for Cyber Innovation 94
Packet Path Diffusion
• The big win for the attacker is the extreme degree of "packet path diffusion" made possible when attack traffic can be bounced off a large number of intermediate TCP servers. This diagram is a representation of the path of traffic between a single attacker and victim.
Mississippi State University Center for Cyber Innovation 95
Packet Path Diffusion with Reflectors • The addition of innocent reflection servers
substantially transforms the attack.
Mississippi State University Center for Cyber Innovation 96
Packet Path Diffusion with Reflectors
• Upon leaving an attacking machine, the malicious SYN packets immediately fan out.
• No longer aimed at the victim, these attack packets are instead being sent to widely spread TCP servers.
• As we know, these servers are potentially located throughout the entire Internet.
• Just a few "router hops" away from the attacker, the heavy packet flow will no longer be discernible because it will have diffused into neighboring routers rather than following a single path.
Mississippi State University Center for Cyber Innovation 97
Defending against DRDoS • Routers can be configured to filter (drop) packets destined
for a particular address or group of addresses. – Router port 179 can be blocked as a reflector.
• Since reflected SYN/ACK packets must bounce off a TCP server, and since almost all common service ports fall within the range from 1 to 1023, blocking all inbound packets originating from the service port range will block most of the traffic being innocently generated by reflection servers. Holes in the reflection filter may have to be created to allow legitimate traffic to pass through.
• Block all inbound packets to high-numbered service ports. This has the undesirable effect that legitimate clients of the protected server could be generating connections from those blocked ports.
Mississippi State University Center for Cyber Innovation 98
Defending against DRDoS • End-user client machines cannot be protected. Most client
machines spend all of their time connecting to remote servers all over the Internet and require access to data coming back from many of the most common low-numbered service ports.
• Servers could be programmed to recognize a SYN source IP address that never completes its connections and has an anomalous number of failed connections occurring within a period of time. The target of the reflection attack could be easily determined and the SYN/ACK response could be temporarily turned off.
• ISPs could prevent the transmission of fraudulently addressed packets (packets with an IP source address not within their source address space) from within their controlled networks. This control mechanism alone would have a major dampening effect on this type of attack.
Mississippi State University Center for Cyber Innovation 99
EC-Council Scanning Methodology 1/2 1. Check for live systems.
– Something as simple as a ping can provide this. – This gives you a list of what’s actually alive on your
network subnet. 2. Check for open ports.
– Once you know which IP addresses are active, find what ports they’re listening on.
3. Scan beyond IDS. – Sometimes your scanning efforts need to be altered to
avoid those pesky intrusion detection systems. 4. Perform banner grabbing.
– Banner grabbing and OS fingerprinting will tell you what operating system is on the machines and which services they are running.
Mississippi State University Center for Cyber Innovation 100
EC-Council Scanning Methodology 2/2
5. Scan for vulnerabilities. – Perform a more focused look at the vulnerabilities
these machines haven’t been patched for yet. 6. Draw network diagrams.
– A good network diagram will display all the logical and physical pathways to targets you might like.
7. Prepare proxies. – This obscures your efforts to keep you hidden.
Mississippi State University Center for Cyber Innovation 101
ICMP
• Internet Control Message Protocol (IP management)
• Error handling and debugging protocol • Not authenticated! • Encapsulated inside an IP header • Message types:
– 40 assigned – 255 possible – about two dozen in use
• References: – Network Intrusion Detection, Chapter 4 – http://www.iana.org/assignments/icmp-parameters
Mississippi State University Center for Cyber Innovation 102
Basic ICMP Message Types
• 0 Echo Reply • 3 Destination Unreachable • 4 Source Quench • 5 Redirect • 8 Echo • 11 Time Exceeded • 12 Parameter Problem • 13 Timestamp • 14 Timestamp Reply • 15 Information Request • 16 Information Reply
Mississippi State University Center for Cyber Innovation 103
ICMP Echo
• a.k.a. Ping • Destination replies (using the "source IP" of the
original message) with "echo reply" • Data received in the echo message must be
returned in the echo reply • How can this be abused?
Mississippi State University Center for Cyber Innovation 104
Scans and Recon
• If an attacker wants to map your network, the trivial way is to ping all the IP addresses in your network...
• Therefore, if you allow pings, your network is exposed.
Mississippi State University Center for Cyber Innovation 105
Port Scanning
• Nmap through TOR
Mississippi State University Center for Cyber Innovation 106
Types of Port Scans
• Consider nmap and TOR combined • Full connect
– Also known as a TCP connect or full open scan, this runs through a full connection (three-way handshake) on all ports, tearing it down with an RST at the end.
– It is the easiest to detect but it’s possibly the most reliable. – Open ports will respond with a SYN/ACK, and closed ports will respond with an
RST. • Stealth
– Also known as a half-open scan (and also as a SYN scan). – Only SYN packets are sent to ports (no completion of the three-way
handshake ever takes place). – Responses from ports are the same as they are for a TCP connect scan. – This technique is useful in hiding your scanning efforts, possibly
bypassing firewalls and monitoring efforts by hiding as normal traffic (it simply doesn’t get noticed because there is no connection to notice).
Mississippi State University Center for Cyber Innovation 107
Types of Port Scans • Inverse TCP flag
– This scan uses the FIN, URG, or PSH flag (or, in one version, no flags at all) to poke at system ports.
– If the port is open, there will be no response at all. – If the port is closed, an RST/ACK will be sent in
response. • XMAS
– A Christmas scan is so named because all flags are turned on, so the packet is “lit up” like a Christmas tree.
– Port responses are the same as with an inverse TCP scan.
– XMAS scans do not work against Microsoft Windows machines due Microsoft’s TCP/IP stack implementation
• (Microsoft TCP/IP is not RFC 793 compliant).
Mississippi State University Center for Cyber Innovation 108
Types of Port Scans • ACK flag probe
– According to ECC, there are two versions of this scan, both of which use the same method: the attacker sends the ACK flag and looks at the return header (TTL or Window fields) to determine the port status.
– In the TTL version, if the TTL of the returned RST packet is less than 64, the port is open.
– In the Window version, if the WINDOW size on the RST packet has anything other than zero, the port is open.
• IDLE – This uses a spoofed IP address (an idle zombie system)
to elicit port responses during a scan. – Designed for stealth, this scan uses a SYN flag and
monitors responses as with a SYN scan.
Mississippi State University Center for Cyber Innovation 109
Evading IDS
• Packet Fragmentation • IP Address Spoofing • Proxies • TOR • IP Address Spoofing
Mississippi State University Center for Cyber Innovation 110
Enumeration
• Banner Grabbing – Active and Passive
• Active sends packets to open ports and returns results • Passive involved reading error messages, sniffing network
traffic or looking at page extensions
• NetBIOS Enumeration – NetBIOS name is a 16 character ASCII string – Examples: WORKGROUP, Napoleon, Black_Knight
• SNMP Enumeration – Old versions of SNMP send community strings in the
clear • Other types of enumeration
– LDAP, NTP and SMTP
Mississippi State University Center for Cyber Innovation 111
Summary – Section Objectives • Understand EC-Council’s scanning methodology • Describe scan types and the objectives of scanning • Understand the use of various scanning and
enumeration tools • Describe TCP communication (three-way handshake
and flag types) • Understand basic subnetting • Understand enumeration and enumeration
techniques • Describe vulnerability scanning concepts and
actions • Describe steps involved in performing enumeration