CIT 380: Securing Computer Systems



Similar documents
An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Network and Services Discovery

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Remote Network Analysis

Host Fingerprinting and Firewalking With hping

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Lecture 5: Network Attacks I. Course Admin

Chapter 6 Phase 2: Scanning

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Network Security CS 192

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Divide and Conquer Real World Distributed Port Scanning

Introduction. Nmap from an Ethical Hacker's View Part 1. By Kirby Tucker

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

Nmap: Scanning the Internet

Linux Network Security

Attacks and Defense. Phase 1: Reconnaissance

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Attack and Defense Techniques

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

A Very Incomplete Diagram of Network Attacks

Network Security. Network Scanning

1.0 Introduction. 2.0 Data Gathering

Security: Attack and Defense

Penetration Testing Workshop

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Looking for Trouble: ICMP and IP Statistics to Watch

CSCE 465 Computer & Network Security

Penetration Testing. What Is a Penetration Testing?

Solution of Exercise Sheet 5

Remote Network Analysis

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Host Discovery with nmap

Using Nessus to Detect Wireless Access Points. March 6, 2015 (Revision 4)

How To Understand A Network Attack

CS5008: Internet Computing

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

nmap, nessus, and snort Vulnerability Analysis & Intrusion Detection

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Stateful Firewalls. Hank and Foo

IP Network Scanning & Reconnaissance

Development of a Network Intrusion Detection System

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Network Forensics: Detection and Analysis of Stealth Port Scanning Attack

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Chapter 8 Network Security

Firewalls. Pehr Söderman KTH-CSC

SECURITY TOOLS SOFTWARE IN AN OPEN SOURCE ENVIRONMENT. Napoleon Alexandru SIRETEANU *

A S B

Windows Insecurity. Penetrated. v0.11

Stop that Big Hack Attack Protecting Your Network from Hackers.

Computer forensics

Installing and Configuring Nessus by Nitesh Dhanjani

Lab 3: Recon and Firewalls

Introduction of Intrusion Detection Systems

Attack Lab: Attacks on TCP/IP Protocols

Chapter 8 Security Pt 2

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

AC : TEACHING NETWORK SECURITY THROUGH SIGNA- TURE ANALYSIS OF COMPUTER NETWORK ATTACKS

Vulnerability Assessment and Penetration Testing

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Introduction to Network Security Lab 2 - NMap


Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Network reconnaissance and IDS

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

Network Mapper and Vulnerability Scanning

CIT 480: Securing Computer Systems. Firewalls

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Time has something to tell us about Network Address Translation

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

8 steps to protect your Cisco router

Denial Of Service. Types of attacks

Firewalls Netasq. Security Management by NETASQ

IxLoad-Attack: Network Security Testing

Abstract. Introduction. Section I. What is Denial of Service Attack?

Codebox 2: simple configuration changes in Apache and PHP configuration files

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

Penetration Testing SIP Services

HTTP Fingerprinting and Advanced Assessment Techniques

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

CIT 480: Securing Computer Systems. Firewalls

noway.toonux.com 09 January 2014

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

Using IPM to Measure Network Performance

Transcription:

CIT 380: Securing Computer Systems Scanning CIT 380: Securing Computer Systems Slide #1

Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting 5. Vulnerability Scanning CIT 380: Securing Computer Systems Slide #2

Port Scanning Port scanning is a method of discovering potential input channels on a host by proving the TCP and UDP ports on which services may be listening. CIT 380: Securing Computer Systems Slide #3

nmap TCP connect() scan > nmap -st scanme.nmap.org Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26 Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.11s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1720/tcp filtered H.323/Q.931 9929/tcp open nping-echo done: 1 IP address (1 host up) scanned in 9.92 seconds CIT 380: Securing Computer Systems Slide #4

Scanning Techniques 1. TCP connect() scan 2. TCP SYN scan 3. TCP FIN scan 4. TCP Xmas scan 5. TCP Null scan 6. TCP ACK scan 7. Fragmentation Scan 8. FTP bounce scan 9. Idle Scan 10. UDP scan CIT 380: Securing Computer Systems Slide #5

TCP connect() scan Use connect() system call on each port, following normal TCP connection protocol (3-way handshake). connect() will succeed if port is listening. Advantages: fast, requires no privileges Disadvantages: easily detectable and blockable. CIT 380: Securing Computer Systems Slide #6

TCP SYN Scan Send SYN packet and wait for response SYN+ACK Port is open Send RST to tear down connection RST Port is closed Advantage: less likely to be logged or blocked Disadvantage: requires root privilege CIT 380: Securing Computer Systems Slide #7

TCP FIN scan Send TCP FIN packet and wait for response No response Port is open RST Port is closed. Advantages: more stealthy than SYN scan Disadvantages: MS Windows doesn t follow standard (RFC 793) and responds with RST in both cases, requires root privilege. CIT 380: Securing Computer Systems Slide #8

Xmas and Null Scans Similar to FIN scan with different flag settings. Xmas Scan: Sets FIN, URG, and PUSH flags. Null Scan: Turns off all TCP flags. CIT 380: Securing Computer Systems Slide #9

TCP ACK Scan Does not identify open ports Used to determine firewall type Packet filter (identifies responses by ACK bit) Stateful Send TCP ACK packet to specified port RST Port is unfiltered (packet got through) No response or ICMP unreachable Port is filtered CIT 380: Securing Computer Systems Slide #10

Fragmentation Scan Modify TCP stealth scan (SYN, FIN, Xmas, NULL) to use tiny fragmented IP datagrams. Advantages: increases difficulty of scan detection and blocking. Disadvantages: does not work on all Oses, and may crash some firewalls/sniffers. CIT 380: Securing Computer Systems Slide #11

FTP Bounce Scan FTP protocol supports proxy ftp Client requests server send file to another IP, port. If server can open connection, port is open. Advantages: Hide identity of scanning host. Bypass firewalls by using ftp server behind firewall. Disadvantages: Most ftp servers no longer support proxying. Printer ftp servers often do still support. CIT 380: Securing Computer Systems Slide #12

Idle Scan Use intermediate idle host to do scan. Idle host must increment IP ID for each packet. Idle host must not receive traffic from anyone other than attacker. Scan Process 1. Attacker connects to idle host to obtain initial IP ID X. 2. Send SYN packet to port Y of target with spoofed IP of idle host. 3. If port is open, target host will send SYN+ACK to idle host. 4. Idle host with send RST packet with IP ID X+1 to target. 5. Attacker connects with SYN to idle host to obtain updated IP ID. 6. Idle host sends back SYN+ACK to attacker. Note that this action will increment IP ID by 1. If IP ID is X+2, then port Y on target is open. Advantages: hides scanner IP address from target. CIT 380: Securing Computer Systems Slide #13

UDP Scans Send 0-byte UDP packet to each UDP port UDP packet returned Port is open ICMP port unreachable Port is closed Nothing Port listed as open filtered Could be that packet was lost. Could be that server only returns UDP on valid input. Disadvantages: ICMP error rate throttled to a few packets/second (RFC 1812), making UDP scans of all 65535 ports very slow. MS Windows doesn t implement rate limiting. CIT 380: Securing Computer Systems Slide #14

Version Scanning Port scanning reveals which ports are open Guess services on well-known ports. How can we do better? Find what server: vendor and version telnet/netcat to port and check for banner Version scanning CIT 380: Securing Computer Systems Slide #15

Banner Checking with netcat > nc www.nku.edu 80 GET / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Sun, 07 Oct 2007 19:27:08 GMT Server: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7a Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 127 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>400 Bad Request</TITLE> </HEAD><BODY> <H1>Bad Request</H1> Your browser sent a request that this server could not understand.<p> client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /<P> </BODY></HTML> CIT 380: Securing Computer Systems Slide #16

Version Scanning 1. If port is TCP, open connection. 2. Wait for service to identify self with banner. 3. If no identification or port is UDP, 1. Send probe string based on well-known service. 2. Check response against db of known results. 4. If no match, test all probe strings in list. CIT 380: Securing Computer Systems Slide #17

nmap version scan > nmap -sv scanme.nmap.org Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26 17:11 EDT Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.10s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0) 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) 1720/tcp filtered H.323/Q.931 9929/tcp open nping-echo Nping echo Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel CIT 380: Securing Computer Systems Slide #18

Set source port More nmap Tools Bypass firewall by using allowed source port. Use port 80 for TCP, port 53 for UDP scans. Decoys Send additional scans from list of decoys. Spoof IP addresses of decoy hosts. Defender has to investigate decoys + attacker. CIT 380: Securing Computer Systems Slide #19

Defences Prevention Disable unnecessary services. Block ports at firewall. Use a stateful firewall instead of packet filter. Detection Network Intrusion Detection Systems. Port scans often have distinct signatures. IPS can react to scan by blocking IP address. CIT 380: Securing Computer Systems Slide #20

OS Fingerprinting Identify OS by specific features of its TCP/IP network stack implementation. Explore TCP/IP differences between OSes. Build database of OS TCP/IP fingerprints. Send set of specially tailored packets to host Match results to identical fingerprint in db to identify operating system type and version. CIT 380: Securing Computer Systems Slide #21

nmap OS fingerprint examples > sudo nmap -O scanme.nmap.org Device type: general purpose Running: Linux 2.6.X 3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.38-3.0 Uptime guess: 12.224 day TCP Sequence Prediction: Difficulty=202 (Good luck!) IP ID Sequence Generation: All zeros > sudo nmap v -O 192.168.1.1 Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.18-2.4.35 (likely embedded) Uptime guess: 29.789 days TCP Sequence Prediction: Difficulty=196 (Good luck!) IP ID Sequence Generation: All zeros CIT 380: Securing Computer Systems Slide #22

OS Fingerprinting Techniques FIN probe RFC 793 requires no response MS Windows, BSDI, Cisco IOS send RST Bogus flag probe Bit 7 of TCP flags unused Linux <2.0.35 keeps flag set in response TCP ISN sampling Different algorithms for TCP ISNs IP Identification Different algorithms for incrementing IPID CIT 380: Securing Computer Systems Slide #23

Passive Fingerprinting Identify OSes of hosts on network by sniffing packets sent by each host. Use similar characteristics as active techniques: TTL MSS Initial Window Size Don t Fragment bit Tools: p0f CIT 380: Securing Computer Systems Slide #24

Fingerprinting Defences Detection NIDS Blocking Firewalling Some probes can t be blocked. Deception IPpersonality changes Linux TCP/IP stack signature to that of another OS in nmap db. CIT 380: Securing Computer Systems Slide #25

Vulnerability Scanning Scan for vulnerabilities in systems Configuration errors Well-known system vulnerabilities Scanning Tools Nessus OpenVAS Nexpose GFI LANguard Network Security Scanner ISS Internet Scanner CIT 380: Securing Computer Systems Slide #26

Vulnerability Scanner Architecture User Interface Vulnerability Database Scanning Engine Scan Results Report Generation CIT 380: Securing Computer Systems Slide #27

Nessus Report CIT 380: Securing Computer Systems Slide #28

Scanning Tools Summary Information IP addresses of hosts Network topology Open ports Service versions OS Vulnerabilities Tool ping, nmap -sp traceroute, lft nmap -st -su nmap -sv nmap O, p0f Nessus, OpenVAS CIT 380: Securing Computer Systems Slide #29

References 1. Fyodor, NMAP documentation, http://nmap.org/docs.html. 2. Fyodor, Remote OS detection via TCP/IP Stack FingerPrinting, Phrack 54, http://www.insecure.org/nmap/nmap-fingerprintingarticle.html 3. Gordon Fyodor Lyon, Nmap Network Scanning, 2008. 4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. CIT 380: Securing Computer Systems Slide #30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information