460 likes | 637 Views
Hands-On Ethical Hacking and Network Defense. Chapter 5 Port Scanning 2008 Fall. Objectives. Port scanning Port-scanning tools Ping sweeps. Introduction to Port Scanning (1). Port Scanning Finds out which services a host computer offers Identifies vulnerabilities
E N D
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning 2008 Fall
Objectives • Port scanning • Port-scanning tools • Ping sweeps
Introduction to Port Scanning (1) • Port Scanning • Finds out which services a host computer offers • Identifies vulnerabilities • Scan all ports when testing, not just well-known ports • Open services can be used on attacks • Identify a vulnerable port via scanning • Then launch an exploit • E.g. ?
Introduction to Port Scanning (2) • Port scanning programs report • Open ports • Closed ports • Filtered ports • Best-guess assessment of which OS is running Discussion: closed port vs. filtered port
Types of Port Scans • SYN scan • Stealthy scan • Connect scan • Completes the three-way handshake • NULL scan • Packet flags are turned off • XMAS scan • FIN, PSH and URG flags are set
Types of Port Scans (continued) • ACK scan • Used to past a firewall • FIN scan • Closed port responds with an RST packet • UDP scan • Closed port responds with ICMP “Port Unreachable” message
Objectives • Port scanning • Port-scanning tools • Ping sweeps
Using Port-Scanning Tools • Nmap • Genlist • Zenmap • Unicornscan • NetScanTools Pro 2004 • Nessus
Nmap (1) • Nmap ("Network Mapper") • An open source tool for network exploration and security auditing. • is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime
Nmap (2) • Nmap can rapidly scan large networks, to determine: • what hosts are available on the network, • what services (application name and version) those hosts are offering, • what operating systems (and OS versions) they are running, • what type of packet filters/firewalls are in use, • And dozens of other characteristics …
Nmap Example nmap -sS -P0 -O -T Sneaky -p 445 -D 64.233.169.99 <ip_to_scan> • Stealth scan (-sS) which does not complete the TCP connection. This is fairly fast and unobtrusive. • The -P0 flag tells nmap NOt to ping the IP which adds to stealth. • The -T is a timing flag that can be set from Sneaky to Insane and determines the speed of packet generation. • The -p flag specifies the port or a port range. • The -D flag allows you to specify a number of decoys. • googlebot’s IP address is used as decopy to make nmap generate packets from your IP address and googlebots IP address. This has an effect of confusing the target.
Genlist • Genlist is a program that returns a list of hosts that responding to ping probes. • This list can be used to perform an scan of these machines using Nmap. • Example: • Generate list of live hosts and save it to a file called “list”:genlist -s 216.109.112.\* > list • Use Nmap to scan that list: nmap -v -iL list
Zenmap • Zenmap is the official Nmap Security Scanner GUI. • a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application • Make Nmap easy for beginners to use • Also providing advanced features for experienced Nmap users.
Main Features of Zenmap • Frequently used scans can be saved as profiles to make them easy to run repeatedly. • A command creator allows interactive creation of Nmap command lines. • Scan results can be saved in a searchable database and viewed later.
Advantages of Zenmap over plain Nmap • Results viewing • arrange its display to show all ports on a host or all hosts running a particular service. • The results of several scans may be combined together and viewed at once. • Comparison • graphically show the differences between two scans. • scans run on different days, scans of two different hosts, scans of the same hosts with different options, or any other combination. • Convenience • keeps track of scan results until you choose to throw them away. • Repeatability • command profiles make it easy to run the exact same scan more than once.
Unicornscan • Unicornscan is a scalable port scanner • developed in 2004 • uses CPU specific instructions to track the packets per second (PPS) you specify as closely as possible. • E.g., From a single Pentium system, it is typical to be able to generate up to 25,000 PPS or more • Ideal for conducting tests on large networks
Unicornscan features • UDP scan is optimized for fast scan • UDP scanning is an unreliable method of discovering live system on a system. • Scans 65,535 ports in three to seven seconds • Unicornscan can also handles port scanning using TCP, ICMP, and IP
Example 1 UDP-Protocol-Specific-Payload Based Scanning # unicornscan -r200 -mU -I 192.168.0.0/24:53 • Option Description -r200 200 Packets Per Second -mU Scan Mode UDP -I Immediately display results to the screen as received :53 Port 53
Example 2: TCP Scanning # unicornscan -r500 -mT www.yahoo.com/29:80,443 • Option Description -r500 200 Packets Per Second -mT Scan Mode TCP (TCP is default mode if not otherwise specified) :80,443 Ports 80 and 443
Unicornscan TCP scanning Flags • Common Flag schemes: • a SYN scan -mT • an ACK scan -mTsA • an Fin scan -mTsF • a Null scan -mTs • a nmap style Xmas scan -mTsFPU • a scan with all options on -mTFSRPAUEC
NetScanTools Pro 2004 • NetScanTools Pro is a robust easy-to-use commercial tool • Supported OSs: *NIX, Windows • Types of tests • Database vulnerabilities • E-mail account vulnerabilities • DHCP server discovery • IP packets and name servers • OS fingerprinting
Nessus • Nessus is capable of: • high speed discovery, • configuration auditing, • asset profiling, • sensitive data discovery and vulnerability analysis • Nessus uses a client/server technology, Server • Any *NIX platform • Client • Can be UNIX or Windows • Conducts testing from different locations
Nessus security plug-ins • Nessus security plug-in is a security test program (script) that can be selected from the client interface. • Nessus can update security checks plug-ins • plug-ins can find vulnerabilities associated with identified services
Objectives • Port scanning • Port-scanning tools • Ping sweeps
Ping Sweeps • Ping sweeps identify which IP addresses belong to active hosts • Problems of Ping Sweep • Computers that are shut down cannot respond • Networks may be configured to block ICMP Echo Requests • Firewalls may filter out ICMP traffic
Ping • Ping uses the Internet Control Message Protocol (ICMP) • send out ICMP requests (the ICMP ECHO_REQUEST) and then waits for a valid reply (an ICMP ECHO_RESPONSE) • Tells you that the destination is reachable, and the route between your computer and another one (by using the -R option).
FPing • FPing (Fast Ping) • similar to ping program, sends out ICMP Echo Request packets and reports on host reachability, packet loss, and round trip delay. • Unlike ping program • fping has the ability to send out ICMP packets to multiple IP addresses simultaneously • fping is meant to be used in scripts and its output is easy to parse.
Enter IP addresses in Fping • manually enter multiple IP addresses at a shell # fping -g 193.145.85.201 193.145.85.220 # fping -g 192.168.1.0/24 • Input file with addresses # fping -f AddressFile
Fping options • Interval between sending ping packet -i 30 • The count of pings to send to each target -c 2 • Number of retries -r 3 • Amount of ping data to send -b 100 • Etc.
Hping • Hping is command-line oriented TCP/IP packet assembler/analyzer • Allows users to fragment and manipulate IP packets • is used to bypass filtering devices • supports TCP, UDP, ICMP and RAW-IP protocols
Hping Craft IP Packets • Crafting packets helps you obtain more information about a service • Source IP address • Destination IP address • Flags: SYN, ACK, FIN …
Hping as a port scanner (1) • Crafting TCP packets is the default behavior of HPING. • By specifying the TCP flags, a destination port and a target IP address, one can easily construct TCP packets. • SYN scan or Stealth scan • An open port is indicated by a SA return packet, closed ports by a RA • E.g. 1 # hping -I eth0 -S 192.168.10.1 -p 80
Hping as a port scanner (2) • A nice feature is the ++, which will increase the destination port in the packets by one. e.g. 2 # hping -I eth0 -S 192.168.10.1 -p ++79 | grep SA • All known NMAP scanning techniques can be easily reproduced
Idle scanning (1) • Idle scanning is a technique to port scan a remote system fully anonymous. • Three hosts in idle scaaning • The Attacker runs two sessions of hping • The Server is the machine to be scanned • The Silent host is a machine that is not busy generating packets • has a predictable increase in the IP header IDENTIFICATION field.
Idle scanning (2) • A suitable silent host can be found by running the following hping probe. # hping -I eth0 -SA 192.168.10.1 HPING 192.168.10.1 (eth0 192.168.10.1): SA set, 40 headers + 0 data bytes len=46 ip=192.168.10.1 flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms len=46 ip=192.168.10.1 flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms len=46 ip=192.168.10.1 flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms ...
Idle scanning procedure (2) • The attacker runs a continuous probe against the silent host, and the attacker scans the server, spoofed with the IP address of the silent host. Step 2, a spoofed scan of the server by the attacker # hping -I eth0 -a 192.168.10.1 -S 192.168.10.33 -p ++20 HPING 192.168.10.33 (eth0 192.168.10.33): S set, 40 headers + 0 data bytes
Idle scanning procedure (3) Step 1, 4: a continuous probe from the attacker to the Silent host to monitor the IP IDENTIFICATION field: # hping -I eth0 -r -S 192.168.10.1 -p 2000 HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data bytes .. len=46 ip=192.168.10.1 flags=RA seq=86 ttl=255 id=+1 win=0 rtt=1.6 ms len=46 ip=192.168.10.1 flags=RA seq=87 ttl=255 id=+2 win=0 rtt=1.6 ms (port 21) len=46 ip=192.168.10.1 flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms len=46 ip=192.168.10.1 flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms (port 25)
Why does Idle scanning work? • Scenario 1: • If the attacker scans an open port at the server with a SYN packet, the server will respond with a SYN/ACK packet to the silent host. • The Silent host will react by sending a RESET packet to the server, and will increase the IP_ID by one • The next probe the attacker sends will have the next IP_ID in return • 2 units higher then the previous probe.
Why does Idle scanning work? • Scenario 2: • If the attacker sends a SYN packet to a closed port of the server • The server sends a RST to the silent host, which does not imply sending any packet from the silent host. • IP_ID is not increased, since this RST will be discarded by the silent host.
SYN ATTACK by Hping (1) • Example: against an IIS 5.0 W2Ksp4 Professional machine. • To avoid sending a TCP reset packet from the attacking machine, use a spoofed IP address with the -a switch. • To increase the pps rate, use the -u switch to indicate the interval • E.g., -i u1000, means every 1000 microseconds. # hping -I eth0 -a 192.168.10.99 -S 192.168.10.33 -p 80 -i u1000
SYN ATTACK by Hping (2) -i --interval Wait the specified number of seconds or micro seconds between sending each packet. --interval X set wait to X seconds, --interval uX set wait to X micro seconds. The default is to wait one second between each packet. Using hping2 to transfer files tune this option is really important in order to increase transfer rate. --fast Alias for -i u10000. Hping will send 10 packets for second. --faster Alias for -i u1. Faster then --fast ;) (but not as fast as your computer can send packets due to the signal-driven design). --flood Sent packets as fast as possible, without taking care to show incoming replies. This is ways faster than to specify the -i u0 option.