Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Transcription

1 Network Scanning What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide? Where will our research go? Page : 1

2 Function - attacker view What hosts are alive? What services are running on those hosts? How those hosts are organised? What are the operating systems used on those hosts? What is the role of each host? Page : 2

3 Function -- admin view performing an assessment of risks on computer system look for potential problems with computer system Scan known vulnerabilities. Check system configuration Find malicious programs. Page : 3

4 Page : 4 Architecture

5 Types Local scanners can plow through the. contents of files looking for configuration problems to help the administrators and prompt to install the latest security fixes. Remote scanners examine the network and distributed computing vulnerabilities in your system by sending network packets Page : 5

6 ICMP ICMP ECHO/Sweep/Broadcast ICMP Timestamp Request ICMP Address Mask Request -- Authoritative agent ICMP Parameter Problem error -- bad IP header field ICMP Destination Unreachable -- bad IP header value ICMP Fragment Re-assembly Time Exceeded ICMP Fragmentation Needed --- bigger MTU Inverse Mapping using ICMP Reply -- network structure Page : 6

7 Port Scanning TCP Connection TCP SYN scan --- half open scanning Proxy Scanning/FTP Bounce Scanning Reverse-ident scanning -- owner of process Page : 7

8 OS Scanning Banner Grabbing TCP/IP stack Fingerprint Wrong codes in ICMP datagram ICMP error Message Quenching ICMP message Quoting ICMP Error Message Echoing Integrity TOS Field in ICMP Port unreachable Message TCP SYN/FIN/ACK/PSH/DF TCP options Page : 8

9 Stealth Technology Page : 9 SYN/ACK, FIN, XMAS, or NULL scan Random Scanning Slow Scanning Fragmentation Scanning Decoy -- forged attackers Co-ordinated Scanning

10 Page : 10 Insertion & Evasion Bad Header Fields--- e.g. bad checksum or smaller TTL IP options -- e.g, timestamp or source route MAC Address -- attacker and IDS in a LAN IP Fragmentation Basic Re-assembly problem -- inconsistent Overlapping Fragments -- smallest fragment or inconsistent Effect of End-system Fragmentation Bugs IP Options in Fragment Streams -- inconsistent implementation

11 Page : 11 Example: MAC Address

12 Products Page : 12 SATAN/SAINT --- Source code free NMAP --- source code free Firewalk --- Traceroute alike Cisco Secure Scanner --- Trial available ISS System Scanner --- Trial available WebTrends Security Analyzer IBM Network Security Auditor AntiSniff NTO Scanner

13 Page : 13 Products (cont.) COPS: Computer Oracle Password System Advance Administrator Tool Atelier Web Port Scanner Retina Network Security Scanner Distribute Sniffer Scanner CyberCops NetRecon Dragon Sensor by-control for Internet Security NFR

14 SATAN/SAINT Security Analysis Tool for Auditing Networks 1st scanner. Security Administrator's Integrated Network Tool is an updated and enhanced version of SATAN. WebSaint Page : 14

15 Cisco Secure Scanner Network Mapping Data collection Data analysis Vulnerability confirmation Data presentation Reporting Page : 15

16 host-based Page : 16 ISS System Scanner a System Scanner agent receives scan commands from the management console. Agent scans the local system for configuration weaknesses and detects compromised system. Agent assesses file permissions, network service configurations, account setup, security patches, vulnerable programs, and common user-related security weaknesses such as passwords.

17 Retina Network Scanner a network vulnerability scanner Retina uses AI (Artificial Intelligence) to think like a hacker. Retina searches for both known and unknown vulnerabilities.? Page : 17

18 Distributed Sniffer System standards-based monitoring + Expert analysis. Page : 18

19 NetRecon Detect and rank weakness Discover and report vulnerabilities Path analysis Page : 19

20 Hot Topics How to generate packets to confuse IDS? How to generate packets to bypass Firewall? How to co-ordinate distributed scanners? How to develop Expert scanners? How to monitor remotely? How to upgrade scanners easily? How to find unknown vulnerabilities? Page : 20