450 likes | 886 Views
Scanning. BAI514 – Security I. Scanning. The goal of scanning is to discover open ports and find applications vulnerable to hacking. Scanning. The Information Gathering Process 1 – Gathering information 2 – Locating the network range 3 – Identifying active machines
E N D
Scanning BAI514 – Security I
Scanning • The goal of scanning is to discover open ports and find applications vulnerable to hacking
Scanning • The Information Gathering Process • 1 – Gathering information • 2 – Locating the network range • 3 – Identifying active machines • 4 – Finding open ports and applications • 5 – Detecting operating systems • 6 – Fingerprinting services • 7 – Mapping the network • Scanning comprises the last five steps
Identifying Active Machines • Primary reasons • Fill in details of the target network map • Identify perimeter and outer boundary of target network • Create an inventory of accessible systems in the target network
Identifying Active Machines • Ping • Useful ICMP utility • Measures speed at which packets traverse network • Can provide other details of target • TTL • Sequence number • Other?
Identifying Active Machines • Ping (cont.) • Ping nnn.nnn.nnn.nnn • Options • -t Ping host until stopped-a Resolve address to hostname-n n Number of requests to send-l n Send buffer size-in TTL-v n TOS-r n Record router for n hops-s n Timestamp for n hops-j list Loose source route along host-list-k list Strict source route along host-list-w n Timeout in ms to wait for each reply
Identifying Active Machines • Ping Sweeps • Automatically pinging a range of IP addresses • Script • Batch file • Utility • Ping Tools • WS_PingProPack – www.ipswitch.com • NetScan Tools – www.nwpsw.com • Hping – www.hping.org/download.html • Icmpenum – www.nmrc.org
Identifying Active Machines • Ping Sweeps (cont.) • Ping Sweep Detection Tools • Network-based IDS – www.snort.org • Genius – www.indiesoft.com • Scanlogd – www.openwall.com/scanlogd
Identifying Open Ports and Available Service • Next step after finding active hosts is to locate any open ports and services on the hosts • Techniques include • Port scanning • Banner grabbing • War dialing • War walking/driving
Identifying Open Ports and Available Service • Reasons for identifying listening services on the target • Determine live hosts if ICMP is blocked • Identify potential ports for creating attack vectors • Obtain OS information • Identify specific applications
Identifying Open Ports and Available Service • Port Scanning • The process of connecting to, or attempting to connect to, TCP or UDP ports for the purpose of finding what services and applications are running on the target system. • Email • http • TCP 53 • UDP 161 • UDP/TCP 4
Identifying Open Ports and Available Service • Types of information gathered from scanning • Details of target DNS • Available services • Types and versions of operating systems
Identifying Open Ports and Available Service • Ports have three states • Open – accepting communications • Closed – not accepting connectivity • Filtered – has some type of network device (e.g. Firewall) preventing the port from being probed • Nmap can be used to determine the state of a port
Identifying Open Ports and Available Service • TCP/UDP scanning types • Some are simple and easy to detect • Some are complicated and difficult to detect • Most intended to be stealthy • TCP provides connection based communication • UDP provides best effort communication
Identifying Open Ports and Available Service • Manipulation of TCP’s three-way handshake is the basis for most TCP-based scanning. • TCP-based scanning techniques • TCP connect() scanning • Full connection attempted • Easiest to detect
Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • TCP SYN (half open) scanning • Full connection never opened • Scanning machine sends a SYN packet • If a SYN/ACK is received, the port is listening • The scanner breaks the connection by sending a RST packet • If a RST is received, the port is closed
Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • TCP SYN/ACK scanning • Scanner sends a SYN/ACK • If the port is closed, a RST will be sent • If the port is open, the packet will be ignored and dropped by the port
Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • TCP FIN scanning • Scanner sends a FIN packet • If the port is closed, it replies with a RST • If the port is open, it ignores the FIN • NOTE... Windows will send a RST regardless of the state of the port
Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • TCP FTP • Very stealthy • Scanner connects to an FTP server and requests that the server initiate a data transfer process to a third system • Scanner uses the PORT FTP command to declare the data transfer process is listening on the target box at a certain port number • Scanner then uses the LIST FTP command to try to list the current directory. • The result is sent over the server data transfer process channel. • If the transfer is successful, the target host is listening on the specified port. • If the transfer is unsuccessful, the port is not listening.
Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • RPC scan • A remote program call (RPC) is used to identify RPC applications • IDLE scan • Considered the only totally stealth scan • Scans a remote system, but the results are sent to a third system • All scans will appear to come from the third system
Identifying Open Ports and Available Service • TCP-based scanning techniques (cont.) • XMAS Tree scan • Scanner sends a TCP packet with the URG, PSH, and FIN flags set • Different OS’s will react differently to this
Identifying Open Ports and Available Service • Determining the operating system • Helps to determine which attack to use • Can be easily found sometimes • Telnet banner • FTP banner • TCP Stack fingerprinting / Passive OS fingerprinting • Different OS and device vendors implement TCP/IP slightly different. These differences can be used to determine the OS • TCP Initial sequence number sampling • The pattern for sequence numbers can give away the OS
Identifying Open Ports and Available Service • Scanning Tools • Can be used by hackers and administrators alike • Hping • Can send packets with non-traditional IP stack parameters • Legion • Scans for shared folders • Nessus • Free security auditing tool • Nmap • Very common, very good port scanner
Identifying Open Ports and Available Service • Scanning Tools (cont.) • Security Administrator’s Integrated Network Tool (SAINT) • Examines network services (ex. Finger, NFS, FTP, TFTP, statd, etc.) • System Administrator Tool for Analyzing Networks (SATAN) • Scans for well-known vulnerabilities • Tcpview • Displays what applications are using what ports
Identifying Open Ports and Available Service • Scanning Tools (cont.) • Snort • Very powerful Intrusion Detection System (IDS) • Can be used as a sniffer • SuperScan • TCP/UDP port scanner • Newer version can perform enumeration • THC-Amap • TCP/UDP scanner • Can find services on ports that have been redirected
Identifying Open Ports and Available Service • Vulnerable Ports • 65,535 TCP and UDP ports • Most common include • 21 - ftp • 23 - telnet • 25, 109, 110, 143 - smtp, pop3, imap • 53 - dns • 80, 8080 – http • 161 – snmp • 5631 - PCAnywhere
Identifying Open Ports and Available Service • Port Scanning Issues • False positives • Applications can use ports normally associated with other services • Heavy traffic • Can cause network performance issues • False negatives • Can exhaust system resources, causing a false negative • System crash • Unregistered port numbers • Ports may be listening, but what service is unknown
Identifying Open Ports and Available Service • Banner Grabbing • Can provide important information • Type of software • Version of software • Telnet can be used to grab HTTP, FTP, and SMTP server information • Telnet [ipaddr] [port #]
Identifying Open Ports and Available Service • Banner Grabbing (cont.) • Netcat • Nc –v –n [ipaddr] [port #] • Features • Creating outbound and inbound connections • UDP or TCP • Providing a tunnelling mode • Randomized port scanning • File transfers • Remote shell
War Dialing • Accessing a network by using a modem and software to scan for target systems with attached modems • Modems have very weak authentication • Modems are often left unchecked on workstations and laptops
War Dialing • War dialer • A tool used to scan a large pool of telephone numbers to try to detect vulnerable modems • THC-Scan – DOS application that dials ranges of numbers to search for a modem or fax • ToneLoc – dials from a file of area codes and number banks • PhoneSweep – Heavy duty war dialing application that supports simultaneous multiple phone lines
War Driving and War Walking • Sniffing for WLANs while travelling via some means of transport such as car, train, bus, even planes • War Walking is the same as war driving, but walking instead of driving
War Driving and War Walking • Wireless Scanners • NetStumbler – GUI, displays wireless access points, SSIDs, channels, encryption, and signal strength • MiniStumbler – Similar to NetStumbler, but designed to work with Pocket PC • AirSnort – Wireless LAN tool that cracks WEP encryption keys • Kismet – Wireless network detector, sniffer, and IDS • SSID Sniff – Used to discover access points and save captured data • WifiScanner – Analyzes traffic and detects 802.11b Aps
War Driving and War Walking • Wireless Packet Sniffers • AirMagnet – developed for wireless inventory management, but can be used for security assessment • AiroPeek – packet analyzer for 802.11b wireless LANS • Wireshark – Complete packet analyzer, requires a WiFinic capable of monitor mode (promisuous)
Fingerprinting • The process of determining the operating system on the target computer. • Exploits the fact that various OS vendors implement the TCP/IP stack differently. • Packets returned to the sender are logged and compared to a database to determine the target’s operating system
Fingerprinting • Two types • Passive • Less accurate than Active fingerprinting, but less detectable • Passively captures packets on the network • Compares many packet fields • TTL • Initial TCP Windows Size • Don’t Fragment bit • Type of Service • Sequence #
Fingerprinting • Type types (cont.) • Active • More accurate than passive fingerprinting, but not as stealthy • Works similarly to passive, but sends altered packets to compare the results
Fingerprinting • Tools • p0f – passive fingerprinting tool • Lcamtuf.coredump.cx/p0f.shtml • Nmap – active fingerprinting • Xprobe – active fingerprinting • xprobe.sourceforge.net • Winfingerprint – active fingerprinting • winfingerprint.com
Mapping the Network • Taking all gathered information and creating a detailed map or maps of the organization • Network information • Network diagram/layout • Cheops – www.marko.net/cheops/ • Company information