Attacks and Defense. Phase 1: Reconnaissance

Transcription

1 Attacks and Defense Phase 1: Reconnaissance Phase 2: Port Scanning Phase 3: Gaining Access Using Application and Operating System Using Networks Phase 1: Reconnaissance Known as information gathering. o IP addresses of hosts on a target network o Accessible TCP and UDP ports on target systems o Operating systems on target systems Launching attacks pertaining to UNIX vulnerabilities if the target is running only Microsoft servers makes no sense. Malicious hackers value reconnaissance as the first step in an effective attack. 1

2 Passive and Active Reconnaissance Passive reconnaissance gathers data from open source information. Active reconnaissance use technical tools to discover information on the hosts that are active on your target network. Network map diagram the live hosts, their open TCP and UDP ports and their respective operating systems. This information forms the skeleton to knowing what type of attacks to launch. 2

3 Passive Reconnaissance (1) Website Download the website for offline viewing. GNU Wget (ftp://ftp.gnu.org/pub/gnu/wget/) Teleport Pro ( After you launch Teleport Pro, you are prompted with the New Project Wizard 3

4 4

5 5

6 You should look for two things: Comments Contact information Comments: what platform the website is running on, which is useful later when you attempt to infiltrate the target web server. Many web design companies advertise what type of platform they develop sites for. Microsoft IIS platform: if they specialize in ASP,.NET, and frontpage. Unix-based platform: if they specialize is Perl, CGI, PHP and Python. Contact information: any contact information published on the target site. o Typically you can find this by clicking on links labeled About US or Contact Information. 6

7 Pretending another employee, an attacker call an employee at the target organization and duping the individual into revealing sensitive information, such as remote access phone number, etc. Searching the organization s web site, some sites include a description of the computing platforms and architecture in use. 7

8 (2) USENET newsgroups Engineers seek help by posting questions on USENET newsgroups. Unfortunately, some post too much information when they are seeking help. Passive Reconnaissance takes patience, but it is most difficult for the target company to detect. effective, but is often time intensive and do not always produce the most accurate results. 8

9 Active Reconnaissance Uses technical tools to discover information on the hosts that are active on the target network. The drawback is that it is easier to detect. Tools of active reconnaissance NSLookup SamSpade NSLookup: used in Windows and Unix to query Domain Name System (DNS) servers to find DNS details, including IP addresses of a particular computer. unix% nslookup example.com Server: Address: #53 SamSpade: a free windows tool can do DNS lookup ( NSlookup: query a DNS server to find domain name to IP address mapping. Ping: sweeps the target network to determine which IP addresses are alive. 9

10 Phase 2: Port Scanning Determine what network services or ports are active on the live IP. The intruder queries ports to determine the application type and version, and the type and version of operating system running on the target host. Determine if vulnerability exists that can be exploited. Types of port scans: TCP Connect() scan SYN NULL FIN TCP Connect() Scan Attempts the three-way handshake with every TCP port. However, this type of scan is also the most easily detected by intruder detection systems. RST: reset 10

11 SYN Scan Only sends out the initial SYN to the target. If the port is open, the target responds with a SYN- ACK. If it is closed, it responds with an RST. o Does not respond with an ACK packet, which is the expected response in the three-way handshake. o Responds with an RST packet, dropping the connection. o By dropping the connection before the session can become established, the SYN scan can go unnoticed by some firewalls. However, many intrusion detection systems (IDSs) detect SYN scans. 11

12 NULL Scan A packet is sent to a TCP port with no flags set. In normal TCP communication, at least one bit of flag is set. o No flags set, the target responds with an RST packet if the port is closed. o If the port is open, the host ignores the packet, and no response arrives. FIN Scan A packet is sent to each TCP port with the FIN bit set to on. The FIN bit indicates the ending of a TCP session. o An RST response indicates the port being closed, o No response indicates that the port is listening. 12

13 Scanning Tools Nmap: A full featured Port Scanning Tool (nmap.org) The predominant switches available in NMap as they correspond to the scans covered earlier: -st TCP Connect() scan -ss SYN scan -sf FIN scan -sn NULL scan 13

14 Fingerprinting The process of discovering the underlying operating system. o Determining the operating system of your target is important because many of the exploits are specific to the platform. Nmap has built-in fingerprinting feature. You can try techniques such as Telnet or HTTP to get requests. Try telnet to port 21 (FTP): The target was running the Sun operating system if you received the response: #telnet ftp FTP server (UNIX(r)System V Release 4.0) ready. SYST 215 UNIX Type: LB Version: SUNOS Try to perform an HTTP get request. The output you might receive if your target is running Microsoft IIS: #echo 'GET / HTTP/1.0\n' ; grep '"Server' Server: Microsoft-IIS/5.0 14

15 Footprinting The combination of active and passive reconnaissance techniques for the purposes of establishing a strategy of attack. The network map should contain the following: Host names IP addresses Listening port numbers Operating systems The intruder could strategize what type of attack to launch against the target network. The attacks will center on the vulnerabilities found is the operating systems and applications. Defending Against Scanning Harden your System, close all unused ports and apply patches to your systems. Unless there is a defined business need for a given network service, it should be disabled. Find the openings before the attackers do. Use Nmap to scan each of your system that is Internet accessible. Configure IDS to actually fight back with TCP Reset and IP blocking in the efforts to stop further entry or damage to the network. 15

16 Example of Scan Detection Detecting port scans that are executed with Nmap. The examples use a IDS sensor attached to the network with IDS management platform software to monitor sensor alarm in real time. Detecting a TCP Connect() Scan 16

17 You have scanned successfully, look at the Cisco management platform. The sensor actually detected the scan. 17

18 Detecting OS Guessing Nmap uses the o switch to signal operating system detection against the target. 18