270 likes | 507 Views
Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz. What is Scanning?. How does it differ from footprinting? Footprinting did not necessarily attempt to access the target system(s) directly Direct examination of target systems
E N D
Scanningslides (c) 2012 by Richard Newmanbased on Hacking Exposed 7 by McClure, Scambray, and Kurtz
What is Scanning? How does it differ from footprinting? • Footprinting did not necessarily attempt to access the target system(s) directly Direct examination of target systems • Determine if system is alive – network ping sweep • Determining which services are up • Determining OS type/version • Determining protocol stack versions
Determining if system is alive • Popularity=10; Simplicity=9; Impact=3; Risk Rating=7 - Purpose • Find out which IP addresses have live hosts on them • No point in detailed examination of empty address! - Network Ping sweep • ARP Host discovery • ICMP Host discovery • OS Utilities • Network discovery tools • TCP/UDP Host discovery - Ping sweep countermeasures
ARP Host discovery - 1 - Address Resolution Protocol • Works on top of layer 2, in parallel with network layer • Has its own ethertype value • Needed for “plug-and-play” autoconfiguration and mobility • Request is broadcast to all hosts on LAN • Host with matching address is required to respond • Attacker needs to be on same LAN - arp-scan by NTA Monitor (nta-monitor.com/tools/arp-scan) • Must be run as super-user • Takes CIDR subnet address range as input • Returns all responding hosts with IP and MAC addresses • Includes OUI of MAC if known - Nmap by Fyodor (nmap.org)
ARP Host discovery - 2 - Nmap by Fyodor (nmap.org) • De facto tool of choice • Works on Linux, Windows, Mac • Does much more than ARP scanning • ARP scan through -PR <CIDR address> option • Turn off port scan using -sn option • Reports IP address, MAC address, OUI's name, and latency - CAIN (oxid.it/cain.html) • Windows tool • Does much more than ARP scanning • GUI-based tool - Limitations of ARP scanning • Targets on distant network segments
ICMP Host discovery - 1 - Internet Control Message Protocol (ICMP) intended uses • Diagnostics and trouble shooting needed on internet • ICMP used for diagnostics, error reporting, management, etc. - ICMP messages • Echo request/reply (ping) • Destination unreachable • Source quench • Redirect • Time exceeded (TTL reached 0) • Timestamp/reply (used in enumeration) • Information request/reply • Address mask request/reply (used in enumeration)
ICMP Host discovery - 2 - OS ping utility uses ICMP echo request/reply messages • If receive request, must reply • Can also be used in smurf attack (using broadcast) - host may be configured not to respond to echo requests • May still respond to other messages
Network discovery tools - 1 - Nmap • Beside ICMP ping sweep also does ARP sweep and TCP pings • Limit activity (to avoid detection by IDS) using -sn (no port scan), -PE (use echo request), and --send-ip (no ARP scan) • If on different subnet, --send-ip not needed • Individual and CIDR subnet addressing • Gives responding host IP, MAC, OUI name, latency • Has -PM option for address mask and -PP option for timestamp • In case host configured to ignore ECHO REQUEST messages
Network discovery tools - 2 - hping3 and nping • Very flexible tools • Select flags, message types • Spoof source address (IP and MAC) • Set number of messages to send • nping ships with nmap - superscan • Windows tool • Free from Foundstone • Fast ping sweep • GUI with options for echo request, timestamp, address mask, and information request messages • Also supports UDP and TCP port scans and more • Can give HTML output
TCP/UDP Host discovery - 1 - Especially useful when ICMP responses are limited - Servers provide services over network • Must be able to take clients • May be open through firewall - May have to probe multiple ports to find open service • Any response indicates host is alive • More probing = higher visibility to IDS - Local hosts (not servers) may also have services • File sharing • Remote desktop • Management tools • Often have local firewall
TCP/UDP Host discovery - 2 - nmap • -sn option also include port 80 (www) • -Pn option for 1000 common ports • -p <portnumber> option to specify one particular port • --open option to suppress IP addresses that don't respond - nping • Also provides port scan option • Output noisier - superscan • Also provides options to probe particular ports or port ranges • Can take file with list of IP addresses to scan
Ping sweep countermeasures - Detection • May want to leave ICMP diagnostic abilities in place for legit use • May want to use as “early warning” of impending attack • Most standard network and desktop firewall tools can be configured to detect ping sweeps • Many OS tools available for this also • Detection does little good if nobody is watching - Prevention • Limit which ICMP messages will be allowed • Limit where they will be received from/sent to • Pingd allows handling at user level (flexible access control) • Can prevent exchange of info by compromised system using data field in ECHO REQUEST (loki2, etc.)
Determining services that are up Popularity=10; simplicity=10; impact=7; Risk Rating=9 - Port scanning • Send packets to TCP and UDP ports to find listening servers • Find live hosts • Determine which services are open • Help identify OS type, version • Identify specific applications/versions of particular service
Scan Types - 1 - TCP connect scan • Completes 3-way handshake • Takes longer • Can be run as regular user - TCP SYN scan (half-open scan) • Sends SYN, waits for SYN-ACK • SYN-ACK = open, RST = not open (usually) • Stealthier • Can produce DOS attack on target - TCP FIN scan • Sends FIN • Should receive RST (see RFC 793) • Usually works on Unix-based stacks
Scan Types - 2 - TCP Xmas tree scan • Sends FIN, URG, and PUSH TCP packet • Should receive RST on closed ports - TCP Null scan • Sends TCP segment with no flags set • Should receive RST on closed ports - TCP ACK scan • Sends packet with ACK set • Helps determine firewall policies, capabilities - TCP Windows scan • Looks at how rwnd is handled with RST to ACK segment See http://www.networkuptime.com/nmap/page3-13.shtml - TCP RPC scan - UDP scan
Scan Types - 3 - TCP RPC scan • Many Unix systems implement portmapper • Used with RPC/RMI to find services • Server registers service with portmapper (with pgm/version) • Client contacts portmapper to request service, get port# - UDP scan • Connectionless • Send ICMP “port unreachable” message if not listening • May be up if error message not received
Identifying Services - 1 - TCP SYN port scan using nmap • Use -sS option • Use -oN <file> to save human readable output • Use -oG <file> to save tab-delimited version • Use -oX <file> to save XML • -oA saves in all formats • Lists open ports with nominal services • -f option to fragment packets • Some firewalls will not reassemble fragments, just pass packet • May make it harder for IDS to detect scan • -D option provides for decoy source addresses • Burdens target with having to track down all scans • Take care to use real IP addresses to avoid SYN attack DOS • -b option to use FTP bounce scanning • Uses older FTP servers to reflect packets
Identifying Services - 2 - SuperScan (Foundstone.com) • Windows/GUI-based alternative to nmap • Port scans in addition to ICMP and ARP scans • Select port or port range to scan, and protocol • Select special techniques for TCP, UDP • UDP data+ICMP method • Multiple UDP packets to a port • May overwhelm ICMP response capability • Very accurate, but slow - ScanLine • Windows/command-line tool (also Foundstone) • Single executable • Easier to load onto compromised system • Many options - Netcat (nc) • Older, command-line tool - “Swiss army knife”
Port Scanning Countermeasures - Detection • IDS (e.g., Snort – snort.org) • Unix scanlogd (openwall.com/scanlogd) • TCP scans • See openwall.com/scanlogd/P53-13.gz for more • Configure firewall to detect • Email alerts • Use grouping to avoid DOS on email • Attacker (Foundstone.com) • Can monitor specific ports • Mostly useful against naive attackers - Prevention • Disable all unnecessary services • System specific
Detecting the OS - 1 Active OS Detection Popularity=10; Simplicity=8; Impact=4; Risk Rating=7 - Banner grabbing (later) - Available ports signature • Some systems use particular ports for services - Active Stack Fingerprinting • Responses to probes is implementation dependent • Multiple types of probes used to narrow field • See insecure.org/nmap/nmap-fingerprinting-article.html Hard to prevent, not so hard to detect
Detecting the OS - 2 Active Stack Fingerprinting Probes - FIN probe • Correct not to respond, but some send FIN/ACK - Bogus flag probe (in SYN packet) • Correct to ignore, but some set flag in SYN-ACK - Initial Sequence Number (ISN) sampling • Patterns may be found in ISNs for connections that depend on OS - DF bit monitoring • Some OS's may set DF in IP header to improve performance - TCP initial window size • Some systems have characteristic initial rwnd size • Note that rwnd is indication of buffer space at receiver, set by OS - ACK value • May use last SN (less common) or last SN+1 (usual)
Detecting the OS - 3 - ICMP error message quenching • Systems may limit the number of ICMP error messages (RFC 1812) • Send UDP packets to random port, determine rate of ICMP unreachable port messages -ICMP message quoting • ICMP error messages include some initial portion of the offending datagram • Amount of data included varies according to system - ICMP error message-echoing integrity • Some systems change IP headers quoted in ICMP error messages - TOS on ICMP port unreachable message • Usually TOS=0, but may vary - Fragmentation handling • Observe how probe packets with overlapping fragments are reassembled - TCP options • Which options set (e.g., RFC 793, or 1323 also) varies
Detecting the OS - 4 Passive OS Detection Popularity=5; Simplicity=6; Impact=4; Risk Rating=5 - Less obtrusive than active OS fingerprinting - Monitor traffic to/from target • Requires favorable position - Passive signatures • TTL on outbound datagrams • Initial window size (rwnd) • DF (don't fragment) bit set? • Siphon tool (packetstormsecurity.org) Hard to prevent, hard to detect
Storing and Processing Scan Data - Large amounts of data may be produced - Desirable to have ways to sift through data, select items of interest - Metasploit (metasploit.com) • Postgres database for querying • Can run nmap from metasploit • Can import nmap output into database • Then run queries to select desired items