1 / 40

Scanning

Scanning. BAI514 – Security I. Scanning. The goal of scanning is to discover open ports and find applications vulnerable to hacking. Scanning. The Information Gathering Process 1 – Gathering information 2 – Locating the network range 3 – Identifying active machines

marci
Download Presentation

Scanning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scanning BAI514 – Security I

  2. Scanning • The goal of scanning is to discover open ports and find applications vulnerable to hacking

  3. Scanning • The Information Gathering Process • 1 – Gathering information • 2 – Locating the network range • 3 – Identifying active machines • 4 – Finding open ports and applications • 5 – Detecting operating systems • 6 – Fingerprinting services • 7 – Mapping the network • Scanning comprises the last five steps

  4. Identifying Active Machines • Primary reasons • Fill in details of the target network map • Identify perimeter and outer boundary of target network • Create an inventory of accessible systems in the target network

  5. Identifying Active Machines • Ping • Useful ICMP utility • Measures speed at which packets traverse network • Can provide other details of target • TTL • Sequence number • Other?

  6. Identifying Active Machines • Ping (cont.) • Ping nnn.nnn.nnn.nnn • Options • -t Ping host until stopped-a Resolve address to hostname-n n Number of requests to send-l n Send buffer size-in TTL-v n TOS-r n Record router for n hops-s n Timestamp for n hops-j list Loose source route along host-list-k list Strict source route along host-list-w n Timeout in ms to wait for each reply

  7. Identifying Active Machines • Ping Sweeps • Automatically pinging a range of IP addresses • Script • Batch file • Utility • Ping Tools • WS_PingProPack – www.ipswitch.com • NetScan Tools – www.nwpsw.com • Hping – www.hping.org/download.html • Icmpenum – www.nmrc.org

  8. Identifying Active Machines • Ping Sweeps (cont.) • Ping Sweep Detection Tools • Network-based IDS – www.snort.org • Genius – www.indiesoft.com • Scanlogd – www.openwall.com/scanlogd

  9. Identifying Open Ports and Available Service • Next step after finding active hosts is to locate any open ports and services on the hosts • Techniques include • Port scanning • Banner grabbing • War dialing • War walking/driving

  10. Identifying Open Ports and Available Service • Reasons for identifying listening services on the target • Determine live hosts if ICMP is blocked • Identify potential ports for creating attack vectors • Obtain OS information • Identify specific applications

  11. Identifying Open Ports and Available Service • Port Scanning • The process of connecting to, or attempting to connect to, TCP or UDP ports for the purpose of finding what services and applications are running on the target system. • Email • http • TCP 53 • UDP 161 • UDP/TCP 4

  12. Identifying Open Ports and Available Service • Types of information gathered from scanning • Details of target DNS • Available services • Types and versions of operating systems

  13. Identifying Open Ports and Available Service • Ports have three states • Open – accepting communications • Closed – not accepting connectivity • Filtered – has some type of network device (e.g. Firewall) preventing the port from being probed • Nmap can be used to determine the state of a port

  14. Identifying Open Ports and Available Service • TCP/UDP scanning types • Some are simple and easy to detect • Some are complicated and difficult to detect • Most intended to be stealthy • TCP provides connection based communication • UDP provides best effort communication

  15. Identifying Open Ports and Available Service • Manipulation of TCP’s three-way handshake is the basis for most TCP-based scanning. • TCP-based scanning techniques • TCP connect() scanning • Full connection attempted • Easiest to detect

  16. Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • TCP SYN (half open) scanning • Full connection never opened • Scanning machine sends a SYN packet • If a SYN/ACK is received, the port is listening • The scanner breaks the connection by sending a RST packet • If a RST is received, the port is closed

  17. Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • TCP SYN/ACK scanning • Scanner sends a SYN/ACK • If the port is closed, a RST will be sent • If the port is open, the packet will be ignored and dropped by the port

  18. Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • TCP FIN scanning • Scanner sends a FIN packet • If the port is closed, it replies with a RST • If the port is open, it ignores the FIN • NOTE... Windows will send a RST regardless of the state of the port

  19. Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • TCP FTP • Very stealthy • Scanner connects to an FTP server and requests that the server initiate a data transfer process to a third system • Scanner uses the PORT FTP command to declare the data transfer process is listening on the target box at a certain port number • Scanner then uses the LIST FTP command to try to list the current directory. • The result is sent over the server data transfer process channel. • If the transfer is successful, the target host is listening on the specified port. • If the transfer is unsuccessful, the port is not listening.

  20. Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • RPC scan • A remote program call (RPC) is used to identify RPC applications • IDLE scan • Considered the only totally stealth scan • Scans a remote system, but the results are sent to a third system • All scans will appear to come from the third system

  21. Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • XMAS Tree scan • Scanner sends a TCP packet with the URG, PSH, and FIN flags set • Different OS’s will react differently to this

  22. Identifying Open Ports and Available Service • Determining the operating system • Helps to determine which attack to use • Can be easily found sometimes • Telnet banner • FTP banner • TCP Stack fingerprinting / Passive OS fingerprinting • Different OS and device vendors implement TCP/IP slightly different. These differences can be used to determine the OS • TCP Initial sequence number sampling • The pattern for sequence numbers can give away the OS

  23. Identifying Open Ports and Available Service • Scanning Tools • Can be used by hackers and administrators alike • Hping • Can send packets with non-traditional IP stack parameters • Legion • Scans for shared folders • Nessus • Free security auditing tool • Nmap • Very common, very good port scanner

  24. Identifying Open Ports and Available Service • Scanning Tools (cont.) • Security Administrator’s Integrated Network Tool (SAINT) • Examines network services (ex. Finger, NFS, FTP, TFTP, statd, etc.) • System Administrator Tool for Analyzing Networks (SATAN) • Scans for well-known vulnerabilities • Tcpview • Displays what applications are using what ports

  25. Identifying Open Ports and Available Service • Scanning Tools (cont.) • Snort • Very powerful Intrusion Detection System (IDS) • Can be used as a sniffer • SuperScan • TCP/UDP port scanner • Newer version can perform enumeration • THC-Amap • TCP/UDP scanner • Can find services on ports that have been redirected

  26. Identifying Open Ports and Available Service • Vulnerable Ports • 65,535 TCP and UDP ports • Most common include • 21 - ftp • 23 - telnet • 25, 109, 110, 143 - smtp, pop3, imap • 53 - dns • 80, 8080 – http • 161 – snmp • 5631 - PCAnywhere

  27. Identifying Open Ports and Available Service • Port Scanning Issues • False positives • Applications can use ports normally associated with other services • Heavy traffic • Can cause network performance issues • False negatives • Can exhaust system resources, causing a false negative • System crash • Unregistered port numbers • Ports may be listening, but what service is unknown

  28. Identifying Open Ports and Available Service • Banner Grabbing • Can provide important information • Type of software • Version of software • Telnet can be used to grab HTTP, FTP, and SMTP server information • Telnet [ipaddr] [port #]

  29. Identifying Open Ports and Available Service • Banner Grabbing (cont.) • Netcat • Nc –v –n [ipaddr] [port #] • Features • Creating outbound and inbound connections • UDP or TCP • Providing a tunnelling mode • Randomized port scanning • File transfers • Remote shell

  30. War Dialing • Accessing a network by using a modem and software to scan for target systems with attached modems • Modems have very weak authentication • Modems are often left unchecked on workstations and laptops

  31. War Dialing • War dialer • A tool used to scan a large pool of telephone numbers to try to detect vulnerable modems • THC-Scan – DOS application that dials ranges of numbers to search for a modem or fax • ToneLoc – dials from a file of area codes and number banks • PhoneSweep – Heavy duty war dialing application that supports simultaneous multiple phone lines

  32. War Driving and War Walking • Sniffing for WLANs while travelling via some means of transport such as car, train, bus, even planes • War Walking is the same as war driving, but walking instead of driving

  33. War Driving and War Walking • Wireless Scanners • NetStumbler – GUI, displays wireless access points, SSIDs, channels, encryption, and signal strength • MiniStumbler – Similar to NetStumbler, but designed to work with Pocket PC • AirSnort – Wireless LAN tool that cracks WEP encryption keys • Kismet – Wireless network detector, sniffer, and IDS • SSID Sniff – Used to discover access points and save captured data • WifiScanner – Analyzes traffic and detects 802.11b Aps

  34. War Driving and War Walking • Wireless Packet Sniffers • AirMagnet – developed for wireless inventory management, but can be used for security assessment • AiroPeek – packet analyzer for 802.11b wireless LANS • Wireshark – Complete packet analyzer, requires a WiFinic capable of monitor mode (promisuous)

  35. Fingerprinting • The process of determining the operating system on the target computer. • Exploits the fact that various OS vendors implement the TCP/IP stack differently. • Packets returned to the sender are logged and compared to a database to determine the target’s operating system

  36. Fingerprinting • Two types • Passive • Less accurate than Active fingerprinting, but less detectable • Passively captures packets on the network • Compares many packet fields • TTL • Initial TCP Windows Size • Don’t Fragment bit • Type of Service • Sequence #

  37. Fingerprinting • Type types (cont.) • Active • More accurate than passive fingerprinting, but not as stealthy • Works similarly to passive, but sends altered packets to compare the results

  38. Fingerprinting • Tools • p0f – passive fingerprinting tool • Lcamtuf.coredump.cx/p0f.shtml • Nmap – active fingerprinting • Xprobe – active fingerprinting • xprobe.sourceforge.net • Winfingerprint – active fingerprinting • winfingerprint.com

  39. Mapping the Network • Taking all gathered information and creating a detailed map or maps of the organization • Network information • Network diagram/layout • Cheops – www.marko.net/cheops/ • Company information

  40. FIN

More Related