160 likes | 298 Views
Scanning. Determining if the system is alive IP Scanning Port Scanning War Dialing. PING Sweeps. PING is used to send ICMP Echo type 8 packets to determined if a Type 0 reply is received indicating the system is alive. Type 0 Echo Reply Type 3 Destination unreachable Type 4 Source Quench
E N D
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing
PING Sweeps • PING is used to send ICMP Echo type 8 packets to determined if a Type 0 reply is received indicating the system is alive. • Type 0 Echo Reply • Type 3 Destination unreachable • Type 4 Source Quench • Type 8 Echo • Type 11 Time exceeded • Type 13 Timestamp Reply • Type 15 Info Request • Type 16 Info Reply
FPING • Fping for unix systems, can read the contents of a file listing a range of IP addresses • Fping –a –f in.txt
NMAP • NMAP –Sp 192.168.1.0/24 www.insecure.org/nmap
Superscan for Windows • www.foundstone.com
Port Scanning • Determining what services are running or listening by connecting to TCP and UDP ports
Scan Types • TCP Connect (full three way hand shake SYN, SYN/ACK, ACK) • TCP SYN (half open scan SYN/ACK listening state, RST/ACK not listening) • TCP FIN (UNIX, if closed a RST is replied) • TCP xmas tree FIN, URG and PUSH if closed a RST is replied) • TCP Null (if closed a RST is replied) • TCP Ack (Firewall rule sets, stateful firewalls) • TCP Windows (detects open and filter ports) • TCP RPC (Unix, detect RPC ports) • UDP (connectionless, used to receive an ICMP unreachable message for closed ports) SYN SYN/ACK ACK Server Client
Netcat • Nc –v –x –w2 192.168.1.1 1-140
Nmap • Unix based • Nmap –Ss 192.168.1.1
Port Scanners Unix Strobe Tcp_scan Nmap Netcat Windows Netcat Superscan Winscan ipEye WUPS ScanLine
Banner Grabbing • Banner Grabbing is the act of connecting to a network available service or application • Ports 135, 139, 445: generally denotes a Windows system • Ports 512-514: Unix ‘r’ commands
Banner Grabbing • Nmap –O 192.168.1.10 port state Protocol Service 21 Open tcp ftp We could also use packet filtering to grab information!
Banner Grabbing • Automated discovery tools give graphical displays of networks such as • Tkined, cheops and Scotty
War Dialing • Used to dial Telephone numbers searching for remote access/modem connections
Countermeasures • Detect a potential attack early • Use an IDS such as www.snort.org or Genius at www.indiesoft.com • Filter ICMP traffic through Firewall • Use ACLs
Exercise • Download an IP scanner, port scanner and network IDS in groups of three perform scans, banner grabbing and NID