730 likes | 1.03k Views
JAVIER. ECHAIZ. Seguridad en Redes. Clase 26 Javier Echaiz D.C.I.C. – U.N.S . http://cs.uns.edu.ar/~jechaiz je@cs.uns.edu.ar. Seguridad en Redes. “The network is the security problem” -- parafraseando a Sun :-). HACKERS - The Modern Roadwarrior-. THE CHANGING WORLD.
E N D
JAVIER ECHAIZ Seguridad en Redes Clase 26 Javier Echaiz D.C.I.C. – U.N.S. http://cs.uns.edu.ar/~jechaiz je@cs.uns.edu.ar
Seguridad en Redes “The network is the security problem” -- parafraseando a Sun :-)
HACKERS - The Modern Roadwarrior-
THE CHANGING WORLD • General Powell describes an historic meeting with Gorbachev, who was becoming frustrated in trying to explain how the old model of the world was unworkable. He finally leaned across the table to Secretary Schultz and said." You need to understand, Secretary Schultz; today I am ending the cold war." He then turned to Powell and said," General, you will have to find another enemy." • The bipolar world of the last half century has become a multipolar economy dominated by the United States, Europe and the Pacific Rim. - Economic competition has replaced military competition. - Information and economic value have become synonymous. - Personal and economic interests have merged with national interests. • The new economy is based upon information technology that is fast leading to an age of networked intelligence(the network is the computer) that is leading to a new society with new politics. • The world is on the doorstep of a digital economy fueled by information and knowledge. (Information is Power)
THE CHANGING WORLD CONTd • The breakdown of the old world order has lead to a rise in nationalism, old hatreds and religious rivalries and the formation of numerous nation-states each competing for its own viable economy and identity. • The conflict of the superpowers has given way to regional conflicts between comparatively small ethnic and political groups. • The foundation of both the mature and the emerging economies is based upon access to information that will enhance a mature economy or propel a weak one into power. • The competition then among nations is one based upon acquiring the latest and best economic information that will give the corporation or the nation an economic advantage. BUSINESS HAS BECOME WAR,THE BATTLEFIED IS THE INFORMATION HIGHWAY AND THE HACKER, FOR GOOD OR BAD, IS THE MODERN ROAD WARRIOR.
Hackers - An Academic View -
HACKER HISTORY • The original generation of Hackers has been said to be such personalities as John Von Neuman, Alan Turing and Grace Hopper. • The first use of the term "Hacker" is attributed to member of the "Tech Model Railroad Club" from MIT in the late 1950s. • This was originally a term of praise for the very best programmers and designers. • Media coverage in the 1980s redefined the term to be synonymous with "Computer Criminal". • The visibility and rise of Hackers is the result of four major developments: 1. The proliferation of computers 2. The dramatic rise and geographical expansion of networks. 3. The dramatic rise in computer literacy. 4. The dependence of organizations upon information.
PERSONAL BELIEFS Computers are tools for the masses. Computers should not be private devices for the rich. • Information belongs to everyone. Most hackers start at the university which generates and distributes knowledge. • Coding is community property. The status of all software should be shareware, freeware or public domain. • Coding is an art. A good program has a certain elegance and beauty. In beauty there is creativity which is demonstrated by a program that can penetrate others. • The computer lives. Most hackers have a social and personal relationship with their computer.
The Hacker Ethic • Access to computers should be unlimited and total. • Always yield to the Hands-On Imperative • All information should be free. • Mistrust authority--promote decentralization. • Hackers should be judged by their hacking. • You can create art and beauty on a computer. • Computers can change your life for the better
PERSONAL QUALITIES • Mostly White. There seems to be a correlation between race and affluence. • Mostly Male. Unknown why males seem to be prominate as hackers. Although there have been examples of females serving as Hackers and Hacker Leaders. • Young. Most are under 30 and concentrated around colleges and universities. • Bright. A good hack results from meeting a challenge which will require in many cases exceptionally high intelligence. • Understanding, Prediction and Control. These three conditions seem to bring a sense of competence, mastery, and self-esteem. • Computer fascination. For many of us the computer is simply a tool. For the hacker it is an unendingly fascinating toy - a mystery wrapped in an enigma to be explored and understood. • No malice. The good hack does no damage.
Social Views on Hackers • Misguided youths. Hackers are misguided youths and are essentially harmless. • Their intelligence and creativity should be encouraged but directed toward more constructive channels. • Security specialists. Hackers know the corporate security weaknesses. • They should be hired as security specialist and their expertise utilized to protect the corporate vital information resources. • Scumbags. Hackers are the scum of the earth and should be treated as varmints and hunted down with dogs and put away for life. • Ordinary criminals. Hackers should be treated no different than any other criminals. • Human nature inevitably breeds predators and it is the responsibility of everyone to put in place the necessary controls to protect their valuables.
HACKER COMMENTS • "Hacking to me [is] to transcend custom and engage in creativity for its own sake..." • "For the most part, its simply a mission of exploration. In the words of the captain of the starship Enterprise, Jean-Luc Picard, "Let's see what's out there!" • "Its like picking a lock on a cabinet to get a screwdriver to fix a radio. As long as you put it back what's the harm?" • "Although computers are part "property" and part "premises" ..... they are supreme instruments of speech..... We must continue to have absolute freedom of electronic speech." • "Thousands of people legally see and use this ever-growing mountain of data much of it erroneous. Whose rights are we violating when we peruse the file. ...The invasion took place long before the hacker ever arrived." • "Crime gets redefined all the time. Offend enough people or institutions and lo and behold, someone will pass a law." • "At the risk of sounding like some digital posse comitatus, I say: Fear The Government That Fears Your Computer."
HACKER DEFINITIONS • A Hacker is someone who has achieved some level of expertise with computers. • A Cracker is someone who breaks into systems without permission. • A Script Kiddie is someone who uses scripts or programs from someone else to do his/her cracking. • Other terms are leech, warez puppy, warez d00d, lamer and rodent. • A Phreaker is a hacker who specializes in telephone systems. • A White Hat is someone who professes to be strictly a good guy. • A Black Hat is someone who is viewed as a bad guy. • A Grey Hat is someone who falls in between White and black
HACKER MOTIVATION • Psychological Need/Recognition. • Desire to Learn/Curiosity. • Revenge/Maliciousness. • Experimentation. • Gang Mentality. • Misguided trust in other individuals. • Altruistic reasons. • Self-gratification. • Desire to Embarrass. • Joyriding. • Scorekeeping. • Espionage. • Cyber-Warrior
TYPICAL HACKER ATTACKS • Insider Attack. • Social Engineering. • Virus Infiltration. • Denial of Service. • Software Bug. • Password Infiltration. • Lack of Security Infiltration. • IP Spoofing. • Trojan Horse. • Stealth Infiltration. • Brute Force. • TCP/IP Protocol Flaw. • Worms and viruses • 49% are inside employees or contractors on the internal network. • 17% come from dial-up from inside employees. • 34% are from the Internet. • The major financial loss is internal hacking.
WHAT MAKES A TARGET? • Lax Security (Hard on the outside,soft on the inside!). • Target of Extremist Group, e.g., Tamil Tigers. • Target of a Radical Group, e.g., Animal rights. • High visibility makes a good "Scorekeeper" site. • High visibility makes a good "Embarrassment" site. • Resources that are useful to the hacker. • Destruction of ability to provide service to customer. • Desire to make a statement, e.g., Free Kevin. • You are a challenge,. e.g., Cheswick and Bellovin site.
HACKER CATEGORIES • Semi-Professional Hacking. Performed part-time and does not provide an income. • They fit the classical hacker characteristics.,i.e. they work and play on the edge of society, have a gang mentality, strong negative responses to threats against his/her self-esteem,can have narcissistic personality disorders. • Inter-City Hacking. Inner-city residence(any race,color, religion, creed, etc,), exhibits anger at social condition, exhibits no social conscience, jail is not a deterrent. • Hacking gives them a sense of power and allows them to make their own rules. • Eurohacking. More worldly , enlightened then US hackers and are generally motivated by philosophical or political concerns. • Generally thought of as a way of life and not a crime, thinks hacking is treating technology without respect; thinks its great sport to spin up intelligence communities. • Professional Hacking. This encompasses any for profit activity such as spies, industrial espionage, Narcoterrorist, White Collar criminals, etc.
HACKER ATTACK CATEGORIES • Personal Attacks. Attacks against an individuals electronic privacy. • This could take the form of exposure of TRW records, exposure of criminal records, changing correct to incorrect entries on your digital self, change your DMV record, change your telephone record, send explicit sex material across Internet in your name,etc. [Instructors note: One reporter critical of hackers was reputedly to have been sentenced to "electronic death". Hackers had his telephone, gas, and electricity turned off, flooded him with unordered mail-order merchandise and posted his credit report on public BBS] • Corporate Attacks. This attack primarily includes: • industrial espionage on the part of competitive corporations (whether foreign or domestic); • economic espionage such as insider trading information, plans of the Federal reserve System, and possible merges; and • white collar crime such as electronic funds transfer, bank fraud, toll fraud, etc. • Information Warfare. This attack is against a country, its politics and its sphere of influence This primarily includes: • Offensive Information Warfare against such infrastructures as Wall Street, the Federal Reserve System, the Internal Revenue Service, Air Traffic Control Systems, Manufacturing Systems, Communication Systems, etc. • Defensive Information warfare to provide infrastructure assurance against attacks. Note: These are attacks considered from an information perspective and from a very high level.
HACKER EXAMPLES • The Cuckoo's Egg discussed four hackers, Dirk Brzesinski, Peter Carl, Markus Hess and Karl Koch, from Hannover, Germany, penetrated or attempted penetration of at least 50 computers connected to MILNET. • These systems included the Pentagon, Lawrence Livermore Labs, the Los Alamos Nuclear Weapons Systems and the National Computer Security Center. • They exploited these systems by means of weaknesses in TCP/IP and the UNIX operating systems. • One of their favorite techniques was to plant Trojan Horses to steal authorized passwords. • The German Chaos Computer Club brought "chaos" to the national Aeronautics and Space Administration computer systems in the late 1980s. • They primarily planted Virus programs at the Goddard Space Flight Center in Greenbelt, Md. • They gained access through a Unix flaw that the system administrator had failed to patch.
HACKER EXAMPLES Contd • Eberhard Blum, part of the Bundesnachrichtendienst (BND), is reputed to have instituted a program called Project Rehab composed of computer scientist designed to penetrate the communications systems of the Eastern block. • This organization since the fall of the Eastern block is reputed to have targeted the west. • The Direction Generale de la Securite Exterieur (the French CIA) is reputed to target foreign businesses. • Their favorite US targets seems to have been IBM and TI. • They are reputed to search visitor rooms looking for information on laptops and to bug Air France flights. • The French are reputed to auction these industrial secrets to the highest corporate bidder. • The Ministry for International Trade (MITI) is reputed to coordinate the industrial espionage activities of Japanese corporations. • These secrets are funneled through MITI which uses the information as part of their national industrial policy. • China, the former Soviet Union, France, Japan, Israel, Sweden, Switzerland and UK are reputed to be to be the most active in national industrial espionage
HACKER EXAMPLES CONTd • Robert Morris Jr, Cornell University, brought the Internet to its knees in 1988 through the "Internet Worm". • The Worm consumed computer resources making them unavailable to others thereby either halting the computer or slowing it to a crawl. The worm primarily consisted of two attack programs. • A program designed to exploit the backdoor DEBUG command in Sendmail, • a Finger daemon program to inundate the Finger daemon's input buffer and a password guessing program. • The Legion of Doom (LoD) and the Masters of Destruction(MoD) were two of the major computer gangs in the late 80s and early 90s. • They were from Brooklyn, the Bronx and Queens. • They wiretapped, intercepted data transmissions, reprogrammed phone computer switches, stole and sold passwords, etc. • The LoD were convicted in 1992 apparently turned in as a result of a falling out with other hackers. Selected LoD MembersSelected Known MoD Members Mark Abene (Phibr Optik) Chris Goggans( Eric Bloodaxe) Julio Fernandez(Outlaw) Scott Chasin(Doc Holliday) John Lee(Corrupt) Elias Ladopoulos(Acid Phreak) Paul Stira(Scorpion)
November 1995 1. A computer consultant noticed the system was sluggish. (a). He executed the top command to determine what was slowing down the system. (b). A program called vs was consuming a large amount of system resources and was running as superuser. 2. He next ran ps. a). vs did not appear so he suspected a break-in. 3. He executed theEmacs dired command and found the vs program in a directory called /var/.e/vs. 4. He next did a chdir() to the /var directory and did a ls -a command. (a). The directory /var/.ewas not displayed. November 1995 5. The programmer used the tar command to make a copy of the /var/.e, /bin and /etc directories. (a) He copied this to another computer. 6. The programmer then shut down the system. 7. He next examined the /bin/login file and found it had been modified to allow logging in with a special password. 8. This seemed to be an exceptionally sophisticated attack. Hacker THE BOEING ATTACK - 1995 INTERNET Modem Attack Boeing Computer Trusted Connection Trusted Connection Trusted Connection Education Computer Government Computer Commercial Computer
November 1995 9. He found the /var/.e/vs was a password sniffer which passed copied passwords to a remote computer. 10. He found the /bin/ls and /bin/ps command had been modified to not display the directory /var/.e. 11. He also found the /bin/ls, /bin/ps and /bin/login file creation dates and modification times had been reset to the original dates and times. 12. He found, in addition, that the checksums for the modified commands matched those of the original unmodified versions. (a). A comparison of the modified programs with the backup version revealed the differences. Hacker THE BOEING ATTACK - 1995 INTERNET Modem Attack Boeing Computer Trusted Connection Trusted Connection Trusted Connection Education Computer Government Computer Commercial Computer
Attack Methodology • What to Attack (selecting a network/target). 1. Internet a. Access the Network Information Center. The InterNic provides Registration (rs.internic.net), Database (ds.internic.net) and Information (is.internic.net) Services. b. whois server to obtain public information on hosts, networks, domains and system administrators. c. WWW using the Uniform Resource Locator(URL notation). d. DNS to acquire the dotted decimal address e. traceroute to determine intermediate networks. f. SNMP to dump a router table. g. Archie to establish the locations of files. Archie is a server with an index of filenames. h. Gopher as an ftp interface. Gopher allows access to resources through menus.
Attack Methodology Contd • What to Attack (selecting a network/target). 2. Telecommunication/Modem a. Social Engineering. b. Dumpster Diving c. Demon Dialing(Scanning/Autodialing/WarDialing) c. Wiretapping d. Optical-spying e. Cheese box(unauthorized call forwarding) f. Piggybacking g. Call Forwarding h. Password Breaker i. Parking Lots j. Shoulder Surfing k. Socializing l. Stealing Laptops m. Wireless Communication
Attack Methodology Contd • Who to Attack (selecting a host). 1. Ping the address with an ICMP Echo Request. This can also be used to find the route of the packet to the address. 2. DNS with a reverse name look-up to translate the numeric address into a domain name address. 3. DNS HINFO records provide the hardware and operating systems release which will be helpful in formulating an attack. 4. Pinglist (a modification of traceroute with udp) to map the network. 5. Netmappers are publicly available. 6. Portmappers are publicly available. 7. The Login Screen can be used to derive information about the target. Note: Breadth is more important than innovation • Select a known vulnerability rather than expose a new one.
Attack Methodology Contd • Testing the host(finding a weakness). Note: Weaknesses are generally specific to an operating system ,host hardware or due to old bugs that have not been patched. • Utilize Internet Security Scanner(ISS) or Security Analysis Tool for Auditing Networks(SATAN) to scan for various holes. a. Check for unprotected logins or mail alias( sync,guest,lp,etc.). Does not require a password. b. Connect to mail port with Telnet and logs mailer type and version. c. Attempts an anonymous FTP connection and trys to grab the /etc/passwd file by using the root account. May want a list of supported commands. d. rpcinfo to test for services running. This program prints out the current portmapper which details what Remote Procedure programs, ports, and protocols are active. Looking for NFS/mountd, yp/ms, rexd. e. ypx to attempt to grab the passwords through the Network Information System(NIS), originally called Yellow Pages, in order to invoke some type of dictionary attack. f. Transitive Trust Analyser to learn the source of logins and to recursively probe those hosts. g. fping to determine Internet connection or Firewall.
Attack Methodology Contd • Hacker goals after penetration • Leave no evidence of the successful attack. • The good hack retains a cloak of invisibility. • Fetch and crack the /etc/passwd file. • Obtain machine root(superuser) access. • Install password sniffing tools to collect data for later retrieval. • Install two or more security backdoors (security holes). • Check the /etc/hosts or .rhosts files for trusted hosts. • Check the mail alias database and log files. • Run security auditing programs such as: • COPS • Internet Security Scanner(ISS) • Security Analysis Tool for Auditing Networks(SATAN
HACKERS - A Hackers View -
Note: A hacker spends 60-70 hours/week Hacking! • Why? • A challenge/A game of wits/skill and ingenuity. • A sense of enjoyment/Accomplishment. • Intensely interested in computers. • Hacker Profile: • Teens or early twenties. • A fast learner. • Academically advanced. • Bored in school. • Hackers grow up to become computer professionals. • As many as 80% of all system operators claim to have hacked. - A Hackers View -
Type of Hackers • The Novice: • 12-14 years old. • Live off more advanced Students. • Hacking is fun and mischief. • They will generally log on, look around, get bored and leave. • They can be unpredictable. • They will normally identify themselves as a hacker when confronted. • The more experienced hacker will be ambiguous. • Easily defeated by security
Type of Hackers Contd • The Student: • Very bright but bored. • Excited by learning more about computers. • They will spend days examining files on a system. • Hacking is a solitary pastime - not antisocial behavior. • Generally adheres to good computer ethics. • He wants to remain undiscovered so he can use the system. • He wants to stay out of trouble. • He respects the system/programmers and doesn't want to create additional work. • He may seek employment with the company (at just the right time with just the right credentials).
Type of Hackers Contd • The Tourist: • Likes adventure and a challenge. • They break in, look around and then leave. • The successful hack constitutes the thrill. • They will normally plan their attack. • They are meticulous and always figure the odds of success. • The harder the target the less likely they will attempt a break-in. • They normally trade information with other hackers. • They may service other hackers. • The best defense is to harden the system.
Type of Hackers Contd • The Crasher: • A troublemaker. • No obvious purpose or logic to their hacking. • Makes themselves visible by creating as much trouble as possible. • They are very patient and plan their attack to accomplish the most damage. • Erases programs, files, etc • Crashers don't have a good reputation with other hackers. • They crash hacker bulletin boards, close down hacker accounts, etc. • The Crasher must be stopped during the reconnaissance phase.
Type of Hackers Contd • The Thief: • Not perceived as Hacking but as Computer Crime. • They will spend hours in reconnaissance and planning the attack. • They use bribes, blackmail, wiretaps, spying, etc. • Normally works for the organization they are robbing. • Rarely discovered. • The best defense is in-depth security.
Levels of Effort • Level One. • Targets of opportunity. • Tests for basic flaws and if none are available moves on. • Little or no effort. • Level Two. • Partial to a particular OS and will expend extra effort. • Well known system defaults, loopholes and bugs. • Level Three. • More intense effort normally related to a specific host. • Tries common passwords and normally succeeds. • Level Four. • Extreme effort that takes months. • Successful about 90% of the time. • These are Tourists that research and plan with great patience. • Level Five. • A Thief ("Show me the money"). • He expects payback for his time and effort.
Attack Methodology • The Beginning - Motivation: Decide why this system should be attacked. • Boredom. • Revenge. • Financial gain. • Peer respect. • A challenge. • Rattle the site. • Curiosity
Attack Methodology • Step One - The Target Reconnaissance. Target Reconnaissance, sometimes called footprinting, is when the Hacker gathers information about the target system and the network. • Search the Internet - Web sites, IRC, newsgroups, etc. • Use the Domain Information Grouper(DIG) to attempt a Zone Transfer. • Gather information on network users through the Web, newsgroups, telephone books, Social Engineering, Dumpster Diving, examine cars, etc. • This will reveal password combination and the policy for determining user names.
Attack Methodology Contd • For example: • whois navy.mil will find hosts on the navy.com network • nslookup on navy.mil will return information contained in the navy.mil DNS. • utilize a zone transfer program (DIG or named.xfer) to retrieve the DNS files from the primary DNS. • Utilize the ping command to determine which systems are connected to the Internet. • telnet navy.mil will determine the machine type and OS version. • Utilize telnet to port 25 to determine the sendmail version and machine type. • Utilize rpcinfo to scan for active ports and return a list of rpc programs running on the machine w/version numbers and port numbers. . • Utilize finger to get a list of users on the system, etc.
Attack Methodology Contd • Step One - The Target Reconnaissance Contd. • Utilize whois to provide the following type information: Organizational Domain Network Point of Contact • The following type databases can provide this type information: InterNIC Database http://www.networksolutions.com American Registry for Internet Numbers http://www.arin.net European IP Addresses http://whois.ripe.net Asia pacific IP Addresses http://whois.apnic.net U.S. Military http://whois.nic.mil U.S. Government http://whois.nic.gov • With the following type tools: Whois Web Interface http://www.networksolutions.com http://www.samspade.org http://search.websitz.com Xwhois http://www.goatnet.ml.org
Attack Methodology Contd • Step One - The Target Reconnaissance Contd. • Examine the target organization Web pages for: • Locations • Related companies • Organization w/phone numbers/E-Mail addresses. • Privacy and Security policies • Links to other sites. • News articles • Press releases • Review the HTML source code. • Utilize Internet Search Tools such as : • FerretPRO to search IRC, USENET, E-Mail File databases. • AltaVista, Hotbot, etc search engines to search for links back to the target, rogue web sites at home, etc. • EDGAR database (Security and Exchange Commission) on the parent organization and subsidiaries.
Attack Methodology Contd • Step One - The Target Reconnaissance contd. • The following type information should now be available: • Host name(s). • Host address(es). • Host owner. • Host machine type. • Host operating system. • Network owner. • Other hosts on network. • Network configuration. • Hosts trusted by network • Hosts outside network. • List of users. • User-name assignment policy.
Attack Methodology Contd • Step Two - The Probe and the Attack. • Remote Blind attack. The user knows the network address but not a valid account or access. • Exploit a service weakness • Exploit a protocol weakness • Inside User Attack. The user/hacker has user-level/unprivileged access. • Sniffed passwords. • Traded accounts. • Shoulder surfing. • Remote blind attack. • Cracked passwords. • Social engineering. • Default user Accounts. • Physical Attack. • Plug into the network • Physical access to the host. • Piggybacking.
Attack Methodology Contd • Step Two - The Probe and Attack Probe the system for weaknesses and exploit a security weakness to gain system entry. • Probe the system perimeter for potential weaknesses.This is a highly automated function and the most dangerous for the hacker. • Security Administrator Tool for Analyzing Networks (SATAN). • Internet Security Scanner (ISS). • Strobe • The probes provide a list of available services and ports. • The services, depending upon their software version, will have known weaknesses that can be exploited. • These weaknesses are normally documented by a CERT advisory. • Exploit a security weakness and gain system entry. Typically, you want a login account and a password. Example: • An encrypted password can be broken with Crack. • Typical attacks would be : • a phf attack on a web page. • a fingerd buffer attack. • a FTP bounce attack.
Attack Methodology Contd Step Two - The Probe and Attack (Scanning) • Network Scanning • Ping Sweep a range of IP addresses/Network blocks to determine if an individual systems is alive. The following tools are typical: • ping w/TCP/IP • fping is part of the TAMU tools • nmap by Fyodor • Pinger from Rhino9 • Ping Sweep from SolarWinds • WS_Ping ProPack from ipswitch • NetScanTools from Northwest Perfomance • Network Scanning Countermeasures • Utilize Intrusion Detection Systems (IDS) such as • Network Flight Recorder • RealSecure • BlackIce • NetProwler
Attack Methodology Contd Step Two - The Probe and Attack (Scanning) • Port Scanning • Port Scanning is the process of connecting to TCP/UDP ports on the target system to determine what services are running. This is critical for the hacker to know the type of OS/Service in use. Typical port scan tools are as follows: • Strobe by Julian Assange. • Udp-scan that comes with SAINT (a newer version of SATAN). • netcat from Hobbit. • PortPro from StOrM • Portscan from Rhad of the 7th Sphere. • Network Mapper (Nmap) from Fyodor (arguably the best).
Attack Methodology Contd Step Two - The Probe and Attack (Scanning) • Port Scanning • Typical port scans are as follows: • TCP connect scan: Thethree-way handshake (SYN, SYN/ACK, ACK). • The Scanner immediately sends an ACK/FIN packet to end the session. • TCP SYN (Half-Open) scan: A full TCP connection is not made. Only a SYN packet is sent to the target port. • If a SYN/ACK is received the target port it is LISTENING. • A RST/ACK is immediately sent by the Scanner so that the connection is never established and therefore not logged. • If a RST/ACK is received it usually means the port is not LISTENING. • TCP FIN (Stealth) scan: Only a ACK/FIN packet is sent to the target port. • Closed Ports tend to respond with a RST/ACK. • Open ports tend to ignore the FIN packet. • TCP Xmas Tree scan: A FIN/URG/PUSH packet is sent to the target port. • The target port should send back a RST packet for all closed ports (RFC 793).
Attack Methodology Contd Step Two - The Probe and Attack (Scanning) • Port Scanning.Typical port scans contd: • TCP Null scan: A packet is sent with no flags set • The target host should send back a RST for all closed ports (RFC 793). • UDP scan: The scanner sends a UDP packet to the target port. • A closed port responds with an "ICMP port unreachable" message. • An open port will typically not respond with this message. • Fragmentation Scan: This is a combination of techniques. • Typically, the SYN and FIN scan is used but is broken into tiny fragments prior to sending. • Ident scan: This is also a combination of methods. • A full TCP connection is established to port 113. • The Ident Protocol (RFC 1413) is then used to determine the owner of the process connected to that port. • Port Scanning Countermeasures • Intrusion Detection Systems such as • NFR • RealSecure • NetProwler
Attack Methodology Contd Step Two - The Probe and Attack (Stack Fingerprinting) • Stack Fingerprinting • This technique allows the hacker to determine the host's operating system. • Vendors interpret the RFC guidance differently when writing their TCP stack. • TCP Stacks can be probed to determine these differences. • FIN Probe: The stack should not respond, however, many will respond with a FIN/ACK. • Bogus Flag Probe: An unidentified TCP flag is set in the header of a SYN packet. • ISN Probes: Stacks may differ as to how they determine the Initial Sequence Number. • DF Bit Monitoring: Some stacks set the DF bit to enhance performance. • TCP Initial Window Size: The window size on some stacks are unique. • ACK Value: Stacks differ on the ACK value, e.g., some return Seq + 1 while others will simply return the same Seq number received.