Network and Services Discovery



Similar documents
CIT 380: Securing Computer Systems

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Remote Network Analysis

Host Fingerprinting and Firewalking With hping

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Host Discovery with nmap

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CSCE 465 Computer & Network Security

Network Security CS 192

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Denial Of Service. Types of attacks

CS5008: Internet Computing

Attack Lab: Attacks on TCP/IP Protocols

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

Project 4: (E)DoS Attacks

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Chapter 6 Phase 2: Scanning

Attacks and Defense. Phase 1: Reconnaissance

Attack and Defense Techniques

Introduction of Intrusion Detection Systems

Chapter 8 Network Security

ACHILLES CERTIFICATION. SIS Module SLS 1508

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Chapter 8 Security Pt 2

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Looking for Trouble: ICMP and IP Statistics to Watch

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Stateful Firewalls. Hank and Foo

How To Understand A Network Attack

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Payment Card Industry (PCI) Executive Report. Pukka Software

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Lecture 5: Network Attacks I. Course Admin

Linux Network Security

Solution of Exercise Sheet 5

Remote Network Analysis

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Computer Networks. Chapter 5 Transport Protocols

How do I get to

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Announcements. No question session this week

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Firewall Firewall August, 2003

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

How To Prevent DoS and DDoS Attacks using Cyberoam

Using SYN Flood Protection in SonicOS Enhanced

Network Security. Network Scanning

SECURING APACHE : DOS & DDOS ATTACKS - I

Firewalls and Intrusion Detection

Netfilter / IPtables

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Classification of Firewalls and Proxies

Layer Four Traceroute (and related tools) A modern, flexible path-discovery solution with advanced features for network (reverse) engineers

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

About Firewall Protection

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Troubleshooting Tools

Content Distribution Networks (CDN)

Divide and Conquer Real World Distributed Port Scanning

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Network reconnaissance and IDS

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

What is a DoS attack?

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Denial of Service Attacks

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

How to Hack Millions of Routers. Craig Heffner, Seismic LLC

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

ELEN 689: Topics in Network Security: Firewalls. Ellen Mitchell Computing and Information Services 20 April 2006

Lecture Computer Networks

Firewalls. Chapter 3

Post-Class Quiz: Telecommunication & Network Security Domain

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Unverified Fields - A Problem with Firewalls & Firewall Technology Today

A S B

Linux Routers and Community Networks

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Configuring Static and Dynamic NAT Translation

Cisco Configuring Commonly Used IP ACLs

Abstract. Introduction. Section I. What is Denial of Service Attack?

Overview of TCP/IP. TCP/IP and Internet

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

Network Mapper and Vulnerability Scanning

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

CMPT 471 Networking II

Using IPM to Measure Network Performance

Transcription:

A quick theorical introduction to network scanning January 8, 2016

Disclaimer/Intro Disclaimer/Intro Network scanning is not exact science When an information system is able to interact over the network : The system is always giving some information about himself The system may be used to act as a network scanning tool Attackers are always looking for such kind of services Network scanning is playing an important role in the process of network discovery for end-user but also for the potential attackers.

IP protocol scanning IP protocol scanning How to know the IP protocol supported by a system. Not only limited to UDP or TCP. The approach used is quite simple : - We send a raw IP packet with the protocol defined (RFC3232) and wait for the reply : if received an ICMP protocol unreachable, the protocol is not available on the stack if we got nothing, the procotol is available or ICMP packets are filtered by a firewall e.g. : Useful for testing the protocol available on a router. Is IGMP available?

ICMP scanning ICMP scanning Nifty Internet Control Message Protocol : ICMP type 8 - echo request ICMP type 13 - time stamp request ICMP type 15 - information request ICMP type 17 - netmask request ICMP can be used as very basic discovery tool. Not always filtered as some of them are required by RFCs and/or for proper operation.

TCP Port Scanning - Connect scan TCP Port Scanning - Connect Scan A connect scan is a scan using the vallina connect() approach. The full TCP 3-way handshake is done : - We send a SYN to the target host and port: We wait for the SYN-ACK from the target host if yes, we ll send an ACK to the target. This means that port is open. If we got a RST, the target host is not listening on that port. The connect() scan is very slow, very visible (e.g. TCP Wrappers, netstat) due to the full handshake (ESTABLISHED state).

TCP Port Scanning - Half-open scan TCP Port Scanning - Half-open scan A half-open scan is where the full TCP handshake is not done : - We send a SYN to the target host and port : We wait for the SYN-ACK from the target host if yes, we ll send directly a RST to the target. This means that port is open but we don t continue the handshake. If we got a RST, the target host is not listening on that port. The half-open scan is less visible than the connect() scan. This scan is always faster than the connect() scan too. The main issue is the use of the SYN flag...

TCP Port Scanning - Inversed or stealh TCP scan TCP Port Scanning - Inversed or stealh TCP scan By default a TCP stack must respond (RFC793) to non-syn flag on a closed port with a RST. For open port, the datagram must be discarded. But various systems are still sending RST on open ports too... - We send an FIN or FIN/URG/PUSH or no flag to the target host and port : We wait for the RST from the target host if yes, this means that port is closed. If we got nothing, this is probably an open port. Results are not always reliable but can be used in conjunction with other scan. The main advantage is not to use SYN flag (e.g. packet filter only checking for SYN).

TCP Port Scanning - ACK TCP scan TCP Port Scanning - ACK TCP scan An ACK scan is often used to check the kind of packet filter between you and the target host. - We send an ACK (random ack/seq) to the target host and port : We wait for the RST from the target host Variation of the TTL and Window field is also interesting. if yes, this means that port is unfiltered. If we got nothing, this is probably a filtered port.

Hiding your active scanning Hiding your active scanning If you are an attacker, it s always better to find ways to somewhat hide your various activities : using FTP relay (old ftp server) - RFC959 using open proxies (e.g. CONNECT method) Idle scan approach Using a zombie host to receive your request Cover channel using IPID (IP identification) to receive the reply on open port from the zombie

TCP passive fingerprint TCP passive fingerprint Signatures are built on various TCP/IP parameters : TTL (max. ttl is different following the OS/version) Window Size DF bit set (some OS are sending it or not) ToS ECN, Selective Acknowledgement,... You can build database of remote services including Operating System version, revision...(check tools presentation)

Passive discovery Passive discovery Another way to discover network services is to use an alternative tools that is gathering the information for you. For example, web crawler can do the job for you and they provide nice interface for an exhaustive search : intext:password intext:login user filetype:csv inurl: ViewerFrame?Mode=refresh intitle: index of Microsoft-IIS/ intitle: index of

Scanning to find vulnerable hosts? Network Scanning How to scan an infrastructure? What are the ethical and legal requirements? How often do you need to scan an infrastructure? What are the impact of scanning?

Q and A Thanks for listening. a@foo.be

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information