IOSMap: TCP and UDP Port Scanning on Cisco IOS Platforms



Similar documents
Host Discovery with nmap

Securing Networks with PIX and ASA

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Rapid Assessment Key v2 Technical Overview

Strategies to Protect Against Distributed Denial of Service (DD

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Firewall Examples. Using a firewall to control traffic in networks

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

Lab - Observing DNS Resolution

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

PANDORA FMS NETWORK DEVICES MONITORING

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Firewall implementation and testing

IP Address: the per-network unique identifier used to find you on a network

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

PANDORA FMS NETWORK DEVICE MONITORING

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Embedded Event Manager Debug Commands on Cisco IOS XR Software

Firewall Firewall August, 2003

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Sample Configuration Using the ip nat outside source static

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Interconnecting Cisco Network Devices 1 Course, Class Outline

Understanding Slow Start

co Characterizing and Tracing Packet Floods Using Cisco R

Network Security. Network Scanning

Configuring Health Monitoring Using Health Probes

Cisco Configuring Commonly Used IP ACLs

NetFlow Subinterface Support

Network Address Translation Commands

Linux MDS Firewall Supplement

Lab Characterizing Network Applications

Configuring DHCP Snooping

Table of Contents. Introduction

CNE Network Assessment

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

VPNSCAN: Extending the Audit and Compliance Perimeter. Rob VandenBrink

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Network Monitoring Comparison

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewall Stateful Inspection of ICMP

How To Configure Virtual Host with Load Balancing and Health Checking

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Freshservice Discovery Probe User Guide

CS Computer and Network Security: Firewalls

Lab Developing ACLs to Implement Firewall Rule Sets

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Firewalls. Chien-Chung Shen

Virtual Fragmentation Reassembly

Configuring Health Monitoring

Looking for Trouble: ICMP and IP Statistics to Watch

Lab 5.5 Configuring Logging

Passive Vulnerability Detection

Network Management & Monitoring

CIT 380: Securing Computer Systems

How To - Implement Clientless Single Sign On Authentication with Active Directory

CS Computer and Network Security: Firewalls

COMP416 Lab (1) Wireshark I. 23 September 2013

Network performance in virtual infrastructures

Configuring Static and Dynamic NAT Simultaneously

Router Lab Reference Guide

Monitoring Android Apps using the logcat and iperf tools. 22 May 2015

Sample Configuration Using the ip nat outside source list C

Question: 3 When using Application Intelligence, Server Time may be defined as.

Network and Services Discovery

Vulnerability Assessment Using Nessus

Cyber Essentials. Test Specification

Transactions. Georgian Technical University. AUTOMATED CONTROL SYSTEMS - No 1(8), 2010

TEIN2 Measurement and Monitoring Workshop.

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Is the Scanning of Computer Networks Dangerous?

Adding an Extended Access List

Firewalls. Pehr Söderman KTH-CSC

Configuring NetFlow Secure Event Logging (NSEL)

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Lab - Observing DNS Resolution

How To Set Up Foglight Nms For A Proof Of Concept

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Topic 7 DHCP and NAT. Networking BAsics.

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Lab - Using Wireshark to View Network Traffic

Nmap: Scanning the Internet

Cisco Networking Professional-6Months Project Based Training

Running custom scripts which allow you to remotely and securely run a script you wrote on Windows, Mac, Linux, and Unix devices.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

How to put the DVR online

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

CIS 433/533 - Computer and Network Security Firewalls

MEASURING WIRELESS NETWORK CONNECTION QUALITY

The ntop Project: Open Source Network Monitoring

Introduction to Passive Network Traffic Monitoring

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Transcription:

IOSMap: TCP and UDP Port Scanning on Cisco IOS Platforms Rob VandenBrink June 2009 GIAC GSEC gold, GSNA, GAWN, GCIA gold, GCIH, GPEN SANS Technology Institute - Candidate for Master of Science Degree 1 SANS Technology Institute Candidate for Master of Science Degree 1

Objective In a real business engagement (a case of illegal activity by an IT department member), I was tasked with the following list of requirements: Need to scan for open ports (TCP and UDP). Must remain covert from the Server / Workstation team within the IT group. Preference was to use equipment local to the problem Must use only corporate gear (no consultant laptops, no external software) SANS Technology Institute - Candidate for Master of Science Degree 2

The Solution We chose to implement port scanning on a local Cisco IOS router The scripting language on IOS is TCL (Tool Command Language) Initial scans were simply run from the TCLSH/ CLI command line Anything worth doing twice should be scripted We were able to extend the process of port scanning to include generic packet capture SANS Technology Institute - Candidate for Master of Science Degree 3

The Outcome The person suspected was in fact found to be sharing material illegally Their access to sensitive company information also put corporate data at risk Subsequent packet captures (done from the same IOS platform) allowed us to capture some actual datastreams, so we were not reliant only on port scans for evidence All this was handed over to the HR Group for further action. SANS Technology Institute - Candidate for Master of Science Degree 4

A Tool is Born The basic tool used for the engagement was a 25(ish) line script in TCL After the engagement, I decided to make IOSmap a formal tool Extended the initial script to accept command line input, in roughly the same format as popular Linux and Windows port scanners Extended the script output to similarly match that of popular tools SANS Technology Institute - Candidate for Master of Science Degree 5

TCP Port Scanning Used the native TCL socket command to implement a TCP connect scan No device configuration changes are required Minimal impact on router CPU and memory A more complex methodology is possible (similar to the UDP scan on next slide), but is not implemented on this release of IOSmap SANS Technology Institute - Candidate for Master of Science Degree 6

UDP Port Scanning A more complex process than TCP Port scanning: Send a UDP probe packet to the target ip/port Capture the return traffic - 4 cases to consider: Packet Returned ICMP Port Unreachable is returned (ICMP Type 3, Code 3) Any other ICMP Unreachable (ICMP Type 3) UDP Packet returns from target port Nothing returns Port State Deduced Port is closed - This packet comes from the target host Port is filtered this packet comes from firewall type devices Port is open Port is Open/Filtered - This is the most common scenario SANS Technology Institute - Candidate for Master of Science Degree 7

Platform Impact Memory Usage Memory usage was found to be a straight line function, dependent only on total ports scanned True for both TCP and UDP scans, though UDP scans take significantly more memory For instance, on a /24 network (254 addresses), a UDP scan of 5 ports will exhaust the memory on a typical 256MB router platform SANS Technology Institute - Candidate for Master of Science Degree 8

Platform Impact Memory Utilization SANS Technology Institute - Candidate for Master of Science Degree 9

Platform Impact Change Control UDP port scanning requires changes to the running configuration and running status: Access list is created to define interesting traffic. IP SLA function is used to generate UDP probe packets Debug IP Packet (exec command) is required to capture the packets of interest this will affect CPU utilization All of this means that UDP port scanning on an IOS platform will generally involve getting permission first. SANS Technology Institute - Candidate for Master of Science Degree 10

IOSmap - Syntax HOST DISCOVERY: -P0 Treat all hosts as online - skip Ping test -SL List hosts and ports to scan SCAN TYPE: -sp Ping scan only <ICMP ECHO> -st TCP Connect Scan -su UDP Scan --reason: display the reason a port state is reported as such PORT SPECIFICATION: -p <port ranges> Specify ports to scan. -p22 Scan port 22 -p22,23,135-139,445 Scan ports 22, 23, 135, 136, 137, 138, 139, 445 TARGET SPECIFICATION: SANS Technology Institute - Candidate for Master of Science Degree 11 CIDR, IP range and single IPs are all a supported - comma delimited

Demonstration Network SANS Technology Institute - Candidate for Master of Science Degree 12

Demonstration SANS Technology Institute - Candidate for Master of Science Degree 13

Future Development Top N Ports scans --packet-trace option (display packets) Support for IPv6 Support for more TCP state detection (will require packet capture similar to current UDP approach) IP protocol detection (may not be possible) No RAW packet injection is available (yet), so IP Protocol Scans, SYN scans, script options and other more advanced functions aren t practical Suggestions for IOSmap development are welcome SANS Technology Institute - Candidate for Master of Science Degree 14

Summary I ve found IOSmap to be a useful tool, and have used it in subsequent engagements. I ve learned that code is more than 80% input validation, parsing and formatting, and less than 20% actual function This tool is posted on: Cisco Community Site: http://forums.cisco.com/eforum/servlet/eem? page=eem&fn=script&scriptid=1621 http://www.sourceforge.net/projects/iostools Thanks for your time and interest! SANS Technology Institute - Candidate for Master of Science Degree 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information