1 / 33

Advanced Unix

Advanced Unix. Roses are #FF0000 Violets are #0000FF All My Base Are Belong To You. Bastille Linux. http://www.bastille-linux.org Well best laid plans oft go awry… Bastille Linux does not work on FC6 It will work on FC5, 4, 3, etc… Prerequisites for Bastille are:

latif
Download Presentation

Advanced Unix

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Unix

  2. Roses are #FF0000 Violets are#0000FF All My Base Are Belong To You

  3. Bastille Linux • http://www.bastille-linux.org • Well best laid plans oft go awry… • Bastille Linux does not work on FC6 • It will work on FC5, 4, 3, etc… • Prerequisites for Bastille are: • TK - an open source, cross-platform widget toolkit, that is, a library of basic elements for building a graphical user interface (GUI). • Curses - a terminal control library for Unix-like systems, enabling the construction of text user interface (TUI) applications

  4. Bastille Linux • If TK or Curses are not installed use the following commands to install: • yum install tk • yum install perl-Curses • To run Bastille use the following commands: • GUI Mode: bastille –x • TUI Mode: bastille -c

  5. Bastille Linux • If you are running FC6 you’ll have to wait a little while before they support it • In the mean while a quick demo…

  6. Post Scanners • Port scanners are a useful tools • Port scanners are software designed to search a network host or hosts for open ports. • This is often used by administrators to check the security of their system/networks and by crackers to detect attack points

  7. Port Scanners • There are numerous port scanners available today. Freeware, Shareware and Commercial of the Shelf (COTS) • Many Network/Security Administrators use port scanners to detect unauthorized services running on their network

  8. Port Scanners • Nmap: ("Network Mapper") is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks. • Foundstone Vision: Reports all open TCP and UDP ports and maps them to the owning process or application.

  9. Port Scanners • Foundstone Fport: Identify unknown open ports and their associated applications • Foundstone Scanline: Formerly FScan. Command line port scanner • Foundstone SuperScan: Powerful TCP port scanner, pinger, resolver • …and many, many more…

  10. nmap • Version 3.70 (should be installed on your class hard drive) • Written by Fyodor: fyodor@dhp.com • http://www.insecure.org/nmap/ • To install on your FC6 system: • yum install nmap • Go ahead an do this now if you haven’t already…

  11. Types of Scans • TCP Scan – simple scan to detect open ports (aka listeners) • ACK scan - can find packets allowed through a stateless packet filter. • FIN scan - can determine if ports are open/closed, even if SYN packets are filtered. • Protocol scan - determines what IP level protocols (TCP, UDP, GRE, etc.) are enabled. • Proxy scan - a proxy (SOCKS or HTTP) is used to perform the scan. The target will see the proxy's IP address as the source. This can also be done using some FTP servers. • Idle Scan - Another method of scanning without revealing your IP address, taking advantage of the predictable ipid flaw. • ICMP scan - determines if a host responds to ICMP requests, such as echo (ping), netmask, etc.

  12. Types of Scans • TCP connect • TYP SYN (a.k.a. half-open) • TCP FIN (a.k.a. stealth) • TCP SYN/FIN using IP fragments • TCP ftp proxy (a.k.a. bounce attack) • UCP raw ICMP port unreachable • RPC scan • ACK/WIN scan • Ping scan

  13. TCP connect Goal: find open TCP ports; option –sT • Open a connection to port p on the target • If it succeeds, something is listening on that port • Repeat for desired values of p Advantages: • fast; can do many ports in parallel • no special privileges needed Disadvantages: • easy to detect and block (filter)

  14. Example # nmap -sT zonker Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:01 PDT Interesting ports on zonker.wal (10.1.2.3): (The 1653 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 111/tcp open rpcbind 513/tcp open login 514/tcp open shell 759/tcp open con 873/tcp open rsync 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 1.733 seconds

  15. TYP SYN (a.k.a. half-open) Goal: find open TCP ports; option –sS • Craft and send a SYN to port p on target • ACK: someone listening; RST: no-one listening • Send RST to tear down (incipient) connection • Repeat for desired values of p Advantages: • many sites don’t log this Disadvantages: • need root to craft the initial SYN

  16. Example # nmap -sS zonker Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 14:58 PDT Interesting ports on zonker.wal (10.1.2.3): (The 1653 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 111/tcp open rpcbind 513/tcp open login 514/tcp open shell 759/tcp open con 873/tcp open rsync 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 2.100 seconds

  17. TCP FIN (a.k.a. stealth) Goal: find open TCP ports; option –sF • Send FIN to port p on target • If RST, port closed; if nothing, port open • Repeat for desired values of p Advantages: • even fewer log this Disadvantages: • some systems always send RSTs (e.g., IRIX, Windows)

  18. Example # nmap -sF zonker Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:04 PDT Interesting ports on zonker.wal (10.1.2.3): (The 1653 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open|filtered ftp 22/tcp open|filtered ssh 23/tcp open|filtered telnet 25/tcp open|filtered smtp 111/tcp open|filtered rpcbind 513/tcp open|filtered login 514/tcp open|filtered shell 759/tcp open|filtered con 873/tcp open|filtered rsync 6000/tcp open|filtered X11 Nmap run completed -- 1 IP address (1 host up) scanned in 4.228 seconds

  19. Variants Option –sX • Christmas tree packet (FIN, URG, PUSH flags) Option -sN • Null packet (all flags turned off) Same expected result as for –sF

  20. TCP SYN/FIN Using IP Fragments Goal: find open TCP ports; option –f (modifies –SF, –sX, –sN, –sS) • Split the header up over several packets Advantages: • makes it harder for packet filters to detect probe Disadvantages: • can cause monitoring tools to crash • high overhead on networks

  21. TCP FTP Proxy (a.k.a. Bounce Attack) Goal: find open TCP ports; option –b user:password@serverhost:port • Connect to serverhost using user with password • Set up proxy to port p on target (use PORT) • Send over an ls of current directory • if no-one’s there, ftp server returns 425 message • if someone listening, ftp server returns 150 message • Repeat for desired values of p This hides who is doing the probing

  22. Example # nmap -b anonymous:bishop-at-nob.cs.ucdavis.edu@ftp.wal zonker.wal Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan Interesting ports on zonker.wal (10.1.2.3): (The 1591 ports scanned but not shown below are in state: closed) Port State Service 20/tcp open ftp-data 21/tcp open ftp 22/tcp open ssh 24/tcp open priv-mail 25/tcp open smtp 80/tcp open http 111/tcp open sunrpc 515/tcp open printer 1023/tcp open unknown 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 37 seconds if ICMP echos are blocked, give –P0 to prevent check for being up

  23. UDP Raw ICMP Port Unreachable Goal: find UDP ports with listeners; option –sU • Send 0 byte UDP packet to port p on target • Wait for ICMP port unreachable message • if you get it, no-one’s listening • if you don’t, someone is • Repeat for desired values of p Disadvantage: • usually slow due to ICMP error rate limits

  24. Example # nmap -sU zonker.wal Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:57 PDT Interesting ports on zonker.wal (10.1.2.3): (The 1467 ports scanned but not shown below are in state: closed) Port State Service 68/udp open|filtered dhcpclient 111/udp open|filtered rpcbind 123/udp open|filtered ntp 513/udp open|filtered who 631/udp open|filtered unknown 800/udp open|filtered mdbs_daemon 866/udp open|filtered unknown Nmap run completed -- 1 IP address (1 host up) scanned in 1492.935 seconds

  25. RPC Scan Goal: find ports with RPC services; option –sR (use with –sT, –sU) • If port p on target is open, send RPC NULL command • goal is to determine if p is an RPC port; if so, what program, version number is served there

  26. Example # nmap -sT -sR zonker.wal Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 PDT Interesting ports on zonker.wal (10.1.2.3): (The 1654 ports scanned but not shown below are in state: closed) Port State Service (RPC) 21/tcp open ftp 22/tcp open ssh 24/tcp open priv-mail 25/tcp open smtp 80/tcp open http 111/tcp open sunrpc (rpcbind V2) 515/tcp open printer 1023/tcp open (nfs V2) 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 1.962 seconds

  27. ACK/WIN scan Goal: see if intervening firewall is packet filter or stateful; option –sA • Send ACK to port p on target • Response RST: unfiltered, can get through it • Response ICMP unreachable, nothing: filtered, probably dropped

  28. Ping Scan Goal: see which hosts are up; option –sP • Send ICMP echo to all IP addresses on network • Send ACK packet to port 80 • RST back means it’s up • Send SYN packet, wait for RST or SYN/ACK Default is first two in parallel

  29. Example # nmap -sP 10.1.2.1-127 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 PDT Host joanie.wal (10.1.2.1) appears to be up. … Host mike.wal (10.1.2.125) appears to be up. Nmap run completed -- 127 IP addresses (48 hosts up) scanned in 4 seconds

  30. Targets • hostname • IP address • * is wildcard • /mask Example: a class C network is: 10.1.2.* 10.1.2.0-255 10.1.2.0/24

  31. Other Interesting Options –O guess the OS type • Indicates how hard guessing was –g p source port is p • Sometimes setting this to 53 (DNS) gets you through when others won’t –r do not randomize order of ports scanned –p p limit scans to ports in given range • Example: –p 1-10,30-60,345,60000–

  32. A Couple of More … –L f targets come from file f –I get login name of user running server • remote system must honor ident protocol • if they send back a crypto hash, you know nothing more • very useful to see if the web server is running as root …

  33. Timing Options Option –Ttiming controls scan paranoid serialize scans, 5 min between packets sneaky paranoid but 15 sec between packets polite serialize, wait ≥0.4 sec between packets normal default behavior (adaptive) aggressive 5 min timeout per host, wait <1.25 sec for probe responses insane aggressive with 75 sec timeouts and <0.3 sec waits

More Related