1 / 32

Scanning

Scanning. This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne. The Source!. “Network Scanning Techniques – Understanding how it is done” Author: Ofir Arkin. SCANNER. SCANNER.

matthewk
Download Presentation

Scanning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scanning This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

  2. The Source! • “Network Scanning Techniques – Understanding how it is done” • Author: Ofir Arkin

  3. SCANNER SCANNER NETWORK SCANNING Web Server Domain Controller Internal Threats External Threats Internet Gateway Fire wall Desktops Mail Server Database Server

  4. Intro to Intelligence Gathering Techniques • 3 Major Steps • Foot Printing • Scanning • Enumeration • Similar to Military • Gather information on the target • Analyze weaknesses • Construct and launch attack

  5. Footprinting • Construct a profile of the target site • Adminstrative, technical & billing contacts from the ARIN database (whois utility) • IP Address range • DNS Servers • Mail Servers • Firewalls

  6. Scanning • Art of detecting which systems are alive and reachable on the Internet • What services do they offer? • TCP/UDP running on each system • System architecture (Unix, Windows, etc.) • OS version and patch levels

  7. Enumeration • The process of extracting valid accounts or exported resource names from systems • Uses active connections to systems and queries, therefore, more intrusive than footprinting or scanning • OS specific • Gathers userid, group names, system banners, routing tables, SNMP info

  8. Intro to Scanning • What are scanners doing? • What do they look like(signature)? • How do they operate in order to accomplish their tasks? • What kind of information is collected? • How serious is the threat?

  9. Scanning: Ping Sweeps • ICMP Echo Requests(ICMP Type 8) to the target and wait for ICMP Echo Reply (ICMP Type 0) • Unix Tools • Fping, gping, nmap • Windows • Ping, pinger from Rhino9 (this is a extremely fast scanner that sends multiple ICMP echo requests concurrently • Defense: block ICMP echo requests

  10. Scanning: Broadcast ICMP • Send ICMP Echo Request to broadcast address on the subnets • Unix boxes will answer requests directed to the network so we can identify the Unix boxes using this technique • Windows boxes won’t respond

  11. Scanning: Non-ECHO ICMP • Use non-ECHO ICMP protocols to bypass the ‘block ICMP echo’ filters • ICMP type 13 (TIMESTAMP) will query a system for the current time • ICMP type 17 (Address Mask Request) is used by diskless systems to obtain its subnet mask at boot time. • Tools: icmpush, icmpquery

  12. Scanning: TCP Sweeps • TCP SYN or TCP ACK packets sent to the target network • telnet, FTP, HTTP, SMTP are the common ports scanned • Firewalls can spoof the response so this isn’t a reliable scanning method • Tools: nmap, hping (also allows packet fragments to be sent)

  13. Scanning: UDP Sweeps • Relies on the ICMP PORT UNREACHABLE message which is sent by a closed UDP port • If not received, the port is assumed to be open • Not reliable because: • Routers can drop UDP packets • Many UDP services don’t respond correctly • Firewalls usually drop UDP packets except DNS

  14. Scanning: Port Scanning • Goal: determine what services are running or in a LISTENING state • The services may suffer from vulnerabilities • A number of port scan techniques

  15. Port Scanning • TCP Connect() scan • SYN packet sent to target port • If SYN/ACK is received, port is active • If RST/ACK is received, port is dead • Finish the 3-way sequence by sending an ACK then terminate the connection • Easily detected by looking at syslogs for connection or error messages

  16. Port Scanning • TCP Half Open Scan (SYN Scan) • Send the SYN packet to the target • If SYN/ACK received, the port is active • If RST/ACK received, the port is dead • We do NOT complete the connection

  17. Advanced Port Scanning • Stealth Scanning techniques • Intentionally violate the 3-way handshake • SYN/ACK scan • FIN scan • XMAS scan • NULL scan • RFC 793 states that closed ports must reply with a RST packet to our probe

  18. Stealth Scanning • SYN/ACK scan • Send SYN/ACK to target (step 2 of the 3 way handshake) • TCP should respond with RST because it figures this is a mistake • We get a response which tells us the port is closed • Open ports do not send anything

  19. Stealth Scanning • FIN scan • Send a FIN to the target • Wait for reply • Open ports will respond • XMAS scan • Send TCP packet with all TCP flags – URG, ACK, PSH, RST, SYN, FIN set

  20. Stealth Scanning • Null Scanning • Send TCP packet that turns off all flags • The target should send a RST to all closed ports • RFC 793 says this should work for every TCP implementation • Windows, CISCO, BSDI, HP/UX, MVS, Irix are broken. They send RST to open ports as well. • If FIN/NULL/XMAS scans show closed ports then SYN scan them to find open ports. If they match, you have one of the above systems.

  21. Inverse Mapping • Gather info about hosts or networks which aren’t there • We make assumptions about what is there • RESET Scan • Routers will give information on a net even if the question doesn’t make sense • Routers will report non-existent addresses • No HOST UNREACHABLE or TIME EXCEEDED means the IP exists

  22. Inverse Mapping • Proxy Scanning/FTP Bounce Scanning • Attacker.com connects to FTP server which has a world writable directory and opens a control connection • Attacker can then ask the FTP server to initiate an active server data xfer process to send a file anywhere on the net. Hobbit’s paper has more details • Use to scan behind a firewall

  23. Port Scanning Techniques • TCP Reverse Ident Scanning • Ident protocol (RFC 1413) determines the owner of a TCP connection by communicating on port 113 • Full TCP connection to the host • Slow scan • Defeats IDS that look for lots of connection in a short period of time. • Typical scan rate: 2 ports/day

  24. Port Scanning Techniques • Fragmentation Scanning • All IP packets can be fragmented • RFC 791 defines the min/max fragment size • 8 octets (min frag size) are enough to contain the src/dst port numbers • This forces the TCP flags field into the second fragment

  25. Port Scanning Techniques • Fragmentation Scanning • Some filters/IDS may incorrectly reassemble or completely miss portions of the scan • Filters that queue all IP fragments can handle this method • Fixed in most vendor’s products

  26. Port Scanning Techniques • Decoy Scanning • The target net thinks the hosts you specify as decoys (bots) are scanning them also • Makes it impossible to determine who the real scanner is • Signature: TTL field usually contains the same number • Nmap bypasses this error • test by traceroute’ing the source IP

  27. Port Scanning Techniques • Coordinated Scans • Multiple IP’s used in the scan • Each one of them probes specific ports in a different time period, different scan rate • Detection depends on the time period the probes take place • Coordinated scans are the most discrete way of probing a target

  28. Operating System Detection • TCP/IP/Stack Fingerprinting • Uses distinct variation in TCP stack implementation to get the OS type • Send specific TCP packets to target and observe the response • Varies with vendor because they interpret the RFC differently when they wrote their TCP stacks

  29. Operating System Detection • FIN packet sent to open port. RFC 793 says “don’t respond to the FIN”. • Many stacks will respond with a RST. Windows, BSDI, CISCO, HPUX, MVS, Irix do this.

  30. Firewalking • A techniqueused to gather information about a remote network protected by a firewall. • 2 purposes • Determine the ACL of a FW by mapping open ports on the FW. • If FW drops ICMP ECHO request/reply, this technique is effective

  31. Firewalking • Uses traceroute style packet filtering to determine whether the packet passes through the FW. • Need 2 pieces of info • IP of last known gateway BEFORE the FW. This is our waypoint. • IP of host located behind the firewall.This is used as a destination to direct packet flow.

  32. Firewalking • If we traceroute a host behind the FW and get blocked by the ACL, we find the FW. • We then try to traceroute same host using different transport protocol (TCP, UDP, ICMP). If we get a response, 2 possible conclusions: • This particular traffic is allowed by the FW. • We know a host exists behind the FW. • Trying to pass packets on all ports/protocols through the FW, monitor the response will produce the ACL. Use slow scan to avoid detection! Send packets to all hosts inside the net.

More Related