1 / 65

Network Security in OS Detection Through TCP/IP Fingerprinting

Learn about the importance of detecting operating systems in network security, leveraging tools like Nmap for host discovery and port scanning techniques like TCP SYN, UDP, and TCP Window scans. Understand OS detection methods, including TCP, UDP, and ICMP probes, and the role of DNS in network security.

muncyj
Download Presentation

Network Security in OS Detection Through TCP/IP Fingerprinting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ITIS 6167/8167: Network Security Weichao Wang

  2. OS detection through TCP/IP fingerprint • DNS and its security

  3. OS detection through TCP/IP fingerprint • Reasons to detect OS • Determine vulnerability of target hosts • Tailor exploits • Network inventory

  4. Nmap • Nmap (“Network Mapper”) uses IP packets to determine what hosts are available on the networks, what services those hosts are offering (application name and version), what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. • Nmap is free software, available with full source code at http://www.nmap.org/

  5. NMAP has been used in many movies

  6. Host Discovery • TCP SYN Probe: • Remote side reply ACK or RST • TCP ACK Probe • Remote side return RST • TCP FIN scan • UDP Probe • Use an uncommon UDP port (most time closed) • Get an ICMP port unreachable report • ICMP Echo Request/Ping • ICMP Timestamp Request • ICMP Netmask Request

  7. ARP Probes • Why ARP scan? When you use ICMP ping scan, the OS needs to send out ARP request to figure out the MAC address • You are sending millions of ARP request. OS is not designed for this • NMAP directly control ARP and send out ARP requests

  8. Intense Discovery! # nmap –sP –PE –PP –PS21,22,23,25,80,113,21339 –PA80,113,443,10042 –source-port 53 –n –T4 –iR 10000 [ … lots of IPs … ] Host a.b.c.d appears to be up. Host w.x.y.z appears to be up. Nmap finished: 10000 IP addresses (699 hosts up) scanned in 2016.564 seconds

  9. NMap – Port Scanner Purpose of port scanner • Identify unused/unauthorized services in the network Example: Unauthorized ftp service, Trojan software • Discover unused/rogue devices in the network Example: Unauthorized notebook computer

  10. NMap – Port Scanner Output

  11. NMap – Port Scanner Example

  12. NMap – Port Scanner Example

  13. Port scan • There are many more tools other than TCP SYN scan • Be careful of the scan results. Sometime they are misleading • Implementation not following the RFC • OS intentionally confuse scanner

  14. TCP scan • Send only the SYN packet • If receive SYN/ACK, the port is open • If receive RST, non-listener on the port • If receive no response or ICMP error reports, the port is filtered

  15. UDP scan • Many UDP ports are open: DNS, SNMP, DHCP, etc • Send an empty UDP header (no data) to target ports • Problem of UDP scan • Too slow. Many OS restrict the speed to send out ICMP unreachable packets. E.g. Linux and Solaris are 1 pkt/sec. • If no response, UDP packets will be resent. This also takes a long time.

  16. TCP NULL, FIN, and Xmas Scan • Use combinations of TCP flag bits to distinguish an open port from a closed port • Null scan • Does not set any bits • FIN scan • Sets just the TCP FIN bit • Xmas scan • Sets the FIN, PSH, and URG flags

  17. TCP ACK scan • Try to tell whether or not the port is filtered • Just set the ACK bit • If the port is not filtered (the ack pkt reaches the port), you will receive a RST • If ICMP error report is received, label the port as filtered

  18. TCP Window scan • Almost the same as the ACK scan • But look at the window size in the returned RST packet • A positive window size shows an open port • A Zero window size shows the port is closed

  19. Idle Scanning • Uses IPID on a quiet host (zombie) to check for open ports on other hosts. • Nmap spoofs as the zombie sending packets to the victim • Polls the zombie to see if IPID has incremented (received RST from victim when not expecting)

  20. FTP bounce scan • Use FTP proxy connection • A user connects to server 1, ask files to be sent to host 2 • Uses the ftp server to scan a host’s port • Bypassing dynamic packet filtering devices

  21. OS detection • Send multiple TCP, UDP, and ICMP probes to open or closed port of the machine • In TCP packets, the following information is used: • Sequence number • TCP options • Window size • Congestion control • MSS size, timestamp

  22. In ICMP packets, the following information is used: • Handle of DF bit • TOS service • ICMP code • ICMP identifier

  23. In UDP packet, the following information is used: • UDP port number • Handle of data contents • In summary, dozens of attributes are used to fingerprint the OS

  24. OS detection • Send dozens of ICMP, TCP, UDP packets to the host • Analyze every bit of the reply • Map the results to known fingerprint of OS

  25. DNS: Domain name system • Motivation: • People cannot remember IP address, they want something easier to remember • DNS in early days (ARPANET) • A flat space without structure • A centralized site to maintain: a file named hosts.txt at SRI • Advantages: short names • Problem: scalability, conflict, maintain copies

  26. Hierarchical names • Decentralized name mechanism: delegating authority and distributing responsibility • Authoritative name servers for each domain • can assign other authoritative name servers for their sub-domains • Advantages: distribute, fault tolerant, avoid central register • Works like a large company • Partitioned at every level • The authority for names in subdivisions is passed to designed agents

  27. DNS: two things • Name syntax and rules for delegation • Ways for implementation so that we can efficiently map names to IPs • DNS Syntax • Set of labels separated by period • Every level will not be longer than 63 bytes • At most 127 levels • The whole domain name should not longer than 253 bytes

  28. Example • sis.uncc.edu is a domain • uncc.edu is also a domain • Top-level domain is edu

  29. Top level domains

  30. New top level domains

  31. Domain is not necessarily a geo concept: • Ten hosts with different names under research.hp.com can be distributed at different branches

  32. Mapping domain name to address • Name server: accomplish the translation • Client: generate the request • Servers arranged in tree structure • Given server handle the entire subtree • There are 13 (maybe more now) root servers around the world • Distribute workload • Improve safety

  33. In practice: • Single server can handle multiple levels of naming tree • For example, root server handles all top level domains • Circular dependencies and glue records • DNS can be used to achieve email blacklist

  34. Efficient translation • Facts: • Most lookups refer to local names • In machines, you can set up frequently used suffix • Name-address maps change infrequently • User likely to search the same sites • Initial contact begins with the local DNS server

  35. Caching: servers cache answers • Local server maintain caches • Bindings change infrequently • TTL for each entry • Set by the authoritative server • Negative entries have the TTL of 600 seconds • Because of caching, not everyone is necessarily seeing the same thing

  36. Two types of queries • Recursive: usually used by the client • Iterative: used by local DNS server

  37. Recursive query: • A resolver sends a recursive query to a name server. • The queried name server is obliged to respond with the requested data or with an error stating that data of the requested type don't exist or that the domain name specified doesn't exist. • The name server can't just refer the querier to a different name server, because the query was recursive.

  38. Recursive query: • If the queried name server isn't authoritative for the data requested, it will have to query other name servers to find the answer. • It could send recursive queries to those name servers, thereby obliging them to find the answer and return it. • it could send iterative queries and possibly be referred to other name servers "closer" to the domain name it's looking for. • Current implementations are polite and do the latter, following the referrals until an answer is found. • The recursive query should contain the whole query, instead of a shorter version or explicit query. Why • Efficiency and the server may not existing • Be careful of the circular dependency

  39. Iterative process: • In iterative resolution, a name server simply gives the best answer it already knows back to the querier. • No additional querying is required. • The queried name server consults its local data, looking for the data requested. If it doesn't find the data there, it makes its best attempt to give the querier data that will help it continue the resolution process. Usually these are the domain names and addresses of the closest known name servers.

  40. Inverse mapping: • Start from IP address, and find out the labels • Use IP address as part of the domain label • Use the IP address in the reverse order since the first byte usually represents more information • 222.33.44.3  3.44.33.222.in-addr.arpa • Many name servers do not support this any more

  41. DNS port number • TCP and UDP port 53 • Most of the time we use UDP port • TCP is used for • Requests with large size (longer than 512 bytes) • Zone transfer

  42. Resource records: • Store the domain name data • Can be of different types: • A: address • MX: mail exchanger • NS: name server • Etc • Wildcard DNS records

  43. ISI.EDU. MX 10 VENERA.ISI.EDU. MX 10 VAXA.ISI.EDU. VENERA.ISI.EDU. A 128.9.0.32 A 10.1.0.52 VAXA.ISI.EDU. A 10.2.0.27 A 128.9.0.33

  44. The difference b/w domain and zone • This is important. The name server may know its zone instead of the whole domain • A zone consists of a collection of connected nodes served by an authoritative name server. • A single name server can host multiple zones • A zone contains the domain names in this domain, except for those in delegated subdemains • A domain contains more information than the name server would need.

More Related