UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Similar documents
Attacks and Defense. Phase 1: Reconnaissance

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Looking for Trouble: ICMP and IP Statistics to Watch

BASIC ANALYSIS OF TCP/IP NETWORKS

Lecture 5: Network Attacks I. Course Admin

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Outline. Outline. Outline

CIT 380: Securing Computer Systems

Introduction to Network Security Lab 2 - NMap

Linux Network Security

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

How-to: DNS Enumeration

Network and Services Discovery

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Host Discovery with nmap

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Hacking: Information Gathering and Countermeasures

Introduction. Nmap from an Ethical Hacker's View Part 1. By Kirby Tucker

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Learn Ethical Hacking, Become a Pentester

Lab - Observing DNS Resolution

Development of a Network Intrusion Detection System

CS5008: Internet Computing

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

Computer Security and Penetration Testing. Chapter 2 Reconnaissance

Glossary of Technical Terms Related to IPv6

1. LAB SNIFFING LAB ID: 10

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Hands-on Network Traffic Analysis Cyber Defense Boot Camp


How do I get to

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Abstract. Introduction. Section I. What is Denial of Service Attack?

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Computer Networks I Laboratory Exercise 1

Penetration Testing. What Is a Penetration Testing?

Penetration Testing Report Client: Business Solutions June 15 th 2015

Introduction on Low level Network tools

Host Fingerprinting and Firewalking With hping

An Introduction to Network Vulnerability Testing

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

SECURITY TOOLS SOFTWARE IN AN OPEN SOURCE ENVIRONMENT. Napoleon Alexandru SIRETEANU *

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Implementing Secure Converged Wide Area Networks (ISCW)

Payment Card Industry (PCI) Executive Report. Pukka Software

Cisco Configuring Commonly Used IP ACLs

Installing and Configuring Nessus by Nitesh Dhanjani

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Firewalls. Chapter 3

Firewalls and Software Updates

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

HP IMC User Behavior Auditor

Lab - Observing DNS Resolution

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

Lab 7: Introduction to Pen Testing (NMAP)

General Network Security

Part I - Gathering WHOIS Information

Network Security CS 192

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Chapter 8 Security Pt 2

Denial Of Service. Types of attacks

Lab 1: Packet Sniffing and Wireshark

Description: Objective: Attending students will learn:

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Chapter 6 Phase 2: Scanning

Transport Layer Protocols

CSCE 465 Computer & Network Security

Penetration Testing and Vulnerability Scanning

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

WHITE PAPER. An Introduction to Network- Vulnerability Testing

7 TRANSMISSION CONTROL PROTOCOL/ INTERNET PROTOCOL (TCP/IP)

AC : TEACHING NETWORK SECURITY THROUGH SIGNA- TURE ANALYSIS OF COMPUTER NETWORK ATTACKS

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

CMPT 471 Networking II

1. Firewall Configuration

Network Security. Network Scanning

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

SSL VPN Technology White Paper

Practical Network Forensics

LAB THREE STATIC ROUTING

Configuring Health Monitoring

Lab Conducting a Network Capture with Wireshark

About Firewall Protection

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Remote Network Analysis

Firewall Firewall August, 2003

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Transcription:

Contents Topic 1: Analogy... 2 Reconnaissance Strategies... 2 Topic 2: Module Introduction... 3 Topic 3: Reconnaissance... 4 What is Reconnaissance?... 4 Passive Reconnaissance... 5 Active Reconnaissance... 7 Activity: Active Reconnaissance... 9 Topic 4: Scanning... 17 What Is Scanning?... 17 IP Scanning... 18 Port Scanning... 19 Types of Port Scans... 20 Vulnerability Scanning... 25 Quiz... 26 Port Scanning Tool: Nmap... 28 Topic 5: Enumeration... 30 What Is Enumeration?... 30 Topic 6: Summary... 34 Glossary... 35 UMUC 2012 Page 1 of 37

Topic 1: Analogy Reconnaissance Strategies The Preattack Phases Module 2 Reconnaissance Strategies Soldiers often carry out reconnaissance missions in which their only task is to collect facts about an enemy target. Doing so helps them prepare an effective, customized attack strategy. Similarly, hackers trying to break into protected networks research their targets to find ways to carry out an effective attack. Here is an analogy comparing military preattack strategies to the preattack exercises carried out by professional hackers and penetration testers, or pentesters. Step 1 Military officers conduct scouting to collect information about their targets before an attack. Their goals are to make sure the enemy does not see them coming and to collect as much data as possible about the enemy, so that the attack is effective. Step 2 Reconnaissance is another word for scouting. The U.S. Army's reconnaissance and surveillance course trains military personnel in surveillance and target acquisition. In reconnaissance, the armed forces research a target to plan the exact point of contact with that target. Step 3 Reconnaissance, however, is not limited to warfare. It is a tactic used by ordinary people in everyday life. Hackers, for instance, who want to attack a particular network or computer system, perform reconnaissance to learn more about the target. Just as soldiers might monitor enemy troops from a distance as part of a reconnaissance exercise, hackers might observe activity on a target Web site as part of their reconnaissance. The goal remains the same for both: to study the target and move in precisely, not randomly. Step 4 During reconnaissance, hackers use social engineering techniques and technical tools to learn about the target systems owners, domain names, and IP addresses, among other necessary details. Hackers need enough data to ensure that they are in and out of a system long before the victim has noticed that important data has been compromised. UMUC 2012 Page 2 of 37

Topic 2: Module Introduction Before hackers or penetration testers launch an attack against an organization s network, they conduct a preattack exercise. This exercise helps them gather information technical and nontechnical about the system that they are targeting. This information helps attackers decide what type of attack will be most effective against their targets. The first three phases of this preattack exercise are the most critical and are called reconnaissance, scanning, and enumeration. Understanding how these phases work together gives a clear indication of how attackers progress in their study of a target and launch an attack. This module covers active and passive reconnaissance techniques, types of scanning, scanning tools and techniques, and enumeration. UMUC 2012 Page 3 of 37

Topic 3: Reconnaissance What Is Reconnaissance? Reconnaissance Reconnaissance is the first step in engineering an effective attack. Footprinting Attackers or penetration testers use a process called footprinting during the reconnaissance phase. This process helps them to gather preliminary information about the network they are targeting. The target network can belong to an individual, a corporation, a government, or any public institution. Data Collection Though hackers aim to collect as much information as possible, the data they collect during this phase is not enough to draw an accurate map of the target network. Target At the end of the reconnaissance phase, attackers manage to learn about the people they are targeting and the target network s IP address. UMUC 2012 Page 4 of 37

Topic 3: Reconnaissance Passive Reconnaissance There are two types of reconnaissance: passive and active. Passive reconnaissance presents a low level of risk for hackers because they spy on victims who are unaware that their moves are being watched. Through passive reconnaissance, hackers gather data from sources that are freely available to the public, such as open source sites, groups and forums, social engineering sites, vulnerability research sites, and people-search sites. Open Source Sites To use open source sites to gather data about a target, the attacker: 1. first looks for a target Web site 2. downloads the target Web site 3. uses various tools to analyze it One of the most popular Web site downloading tools is the freely available wget located at www.gnu.org/software/wget. Here the wget recursively retrieves the Web pages at www.umuc.edu. The -r option of wget enables recursive mirroring of all pages on the site. UMUC 2012 Page 5 of 37

Groups and Forums Many users share information about the vulnerabilities of their systems and ask for solutions or answer queries posed by other users. Hackers use such forums to gather information about target systems and find vulnerabilities in the systems. Social Engineering Techniques Social engineering is the art of tricking people into giving out classified data. A common social engineering technique that hackers use is joining chat rooms their targets might use. In these chat rooms, hackers are able to start conversations through which they can extract valuable data from targets. Vulnerability Research Sites Hackers visit vulnerability research Web sites such as www.securityfocus.com or www.hackerstorm.com for the latest attack tools and techniques. People-Search Sites To find information such as names of a system administrator, security engineer, or network engineer of a target company, hackers visit people-search Web sites such as people.yahoo.com or www.peoplefinder.com. UMUC 2012 Page 6 of 37

Topic 3: Reconnaissance Active Reconnaissance In active reconnaissance, attackers use technical tools to probe the target network for information. For example, attackers may try to connect to different port numbers on the target IP to see which ones are open. In this way, they determine which software/servers are running on that IP some of which might be vulnerable. Data about a network s IP addresses is usually found through the Domain Name System (DNS). Hackers use several technical tools to query the target network s DNS to discover this data. During this phase, hackers use technical tools to learn more about their target. Whois (www.whois.net) NSLookup ARIN (www.arin.net) DIG Traceroute Whois (www.whois.net) Hackers interrogate the Internet domain name administration system to locate the domain name of a target system. Whois allows hackers to query DNS and obtain registered information, such as the domain ownership, address, location, and phone number. NSLookup The NSLookup tool allows anyone to query a DNS server for information such as host names and IP addresses. Using the NSLookup tool, a hacker can perform a DNS zone transfer and gather a great deal of information about the target. ARIN (www.arin.net) The American Registry for Internet Numbers (ARIN) is one of five worldwide regional Internet registries (RIR). ARIN oversees public IP addresses for North America. Hackers query ARIN to identify the range of IP addresses their target network uses. ARIN allows hackers to: Conduct Whois-type searches on its database to locate information about networkrelated handles, subnet masks, and related points of contact (POC). Query an IP address to help identify how IP addresses are assigned. For example, a hacker can enter the Web server IP address of a target network into the ARIN Web site, www.arin.net, using Whois to identify the number and the range of IP addresses in use. DIG Like the NSLookup tool, Domain Information Groper (DIG) is a flexible tool that performs DNS lookups. DIG interrogates DNS name servers and displays the responses that it receives from the name servers. The responses include data such as host names, IP addresses, and e-mail exchanges. UMUC 2012 Page 7 of 37

Traceroute Hackers use the Traceroute tool to discover the routes or paths, devices or routers, and Internet service providers (ISPs) that a data packet must cross to reach its target host. Traceroute is based on the Internet Control Message Protocol (ICMP). This is important because ICMP packets are blocked by many network devices such as firewalls. By using Traceroute or other ICMP-based tools, hackers are able to easily discover firewalls in the data path. DNS and Zone Transfer A DNS server is responsible for resolving host names to corresponding IP addresses. When a host name for example, www.umuc.edu is typed into a Web browser, the DNS server converts it into an IP address. This is because the systems running on the Internet recognize only IP addresses. Every DNS server has a name space, known as a zone. A zone can contain one or more domain names. There are two types of DNS servers organized in a hierarchy: a master DNS server and a secondary DNS server. When a DNS zone has to be updated, the update is executed within a primary zone on a master server. The updated records in the database of the master server are then transferred to the secondary DNS server. This kind of transfer is called a zone transfer. UMUC 2012 Page 8 of 37

Topic 3: Reconnaissance Activity: Active Reconnaissance Introduction Krista Le Saad is a popular gray hat hacker known for her reconnaissance skills. She has been given an assignment to find out the IP address of the administrative system managing an online bookstore called www.largobooks.com. The assignment has been delegated to Krista by a penetration tester, Sean Stasis. Sean works for a leading IT security firm and needs to find the loopholes and vulnerabilities in www.largobooks.com's network. He often outsources such assignments to young aspiring hackers. Sean's team is ready to begin fixing patches on all vulnerabilities once he gets the results from Krista's inquiries. Krista has been given 24 hours to hack into www.largobooks.com. To meet that deadline, Krista needs your help. In this activity, you will be asked to perform three active reconnaissance steps. You will use tools, commands, and Web sites, such as FindRecord and NSLookup, to locate the DNS and IP address and perform a zone transfer. Workspace To help Krista find the IP address of www.largobooks.com s administrative system, perform the following three steps: Use FindRecord to locate the DNS. Use NSLookup to find the IP address associated with the DNS. Use NSLookup to perform a zone transfer. UMUC 2012 Page 9 of 37

Step 1 To query the DNS of www.largobooks.com, Krista uses a tool similar to Whois called FindRecord. On typing www.largobooks.com in the Record Locator field and searching the site, she received the following output. Domain name: largobooks.com Registrant Contact: n/a Alan Carswell () Fax: 7704 Morningside Dr. NW Washington, DC 20012 AF Administrative Contact: n/a Alan Carswell (adcarswell@gmail.com) +1.2028297638 Fax: +1.5555555555 7704 Morningside Dr. NW Washington, DC 20012 AF Technical Contact: n/a Alan Carswell (adcarswell@gmail.com) +1.2028297638 Fax: +1.5555555555 7704 Morningside Dr. NW Washington, DC 20012 AF Status: Locked Name Servers: dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com Creation date: 02 Jul 20XX 11:10:00 Expiration date: 02 Jul 20XX 06:10:00 NOTE: If you use the Whois tool on a Linux OS, type the command: whois largobooks.com. UMUC 2012 Page 10 of 37

Analyze the output and answer the following question. Step 2 Question: Which of the following information is available in the FindRecord output? a. Technical contact b. Administrative contact c. Domain name d. IP address of DNS e. DNS Correct answers: Options a, b, c, and e Feedback for the correct answer: That s correct. The technical contact data, the administrative contact, the domain name, and the DNS data showing all the name servers are available in the output. Feedback for the incorrect or partially correct answer: Not quite. The IP address of the DNS is not available in these results. The domain name, administrative contact, technical contact, and name servers are clearly mentioned. Step 3 Krista can find the IP address of the DNS server by using a tool such as NSLookup. In this activity, use the IPAddress Locator to help her. Activity The following output was generated on typing largobooks.com in the IPAddress Locator. Server: adedcns01.us.umuc.edu Address: 131.171.34.194 Non-authoritative answer: Name: largobooks.com Address: 199.58.184.57 The IP address of www.largobooks.com DNS is 199.58.184.57. Note: You can execute NSlookup commands at the Windows command prompt. UMUC 2012 Page 11 of 37

Step 4 In this step, you perform a zone transfer. The following commands can be executed at the Windows command prompt. Activity 1 On typing nslookup and pressing the Enter key, the following output is displayed. The IP address is displayed. Note: Once nslookup is typed at the Windows command prompt, the prompt will change to >. This indicates that NSLookup is in the execution mode. Activity 2 On typing server 8.8.8.8 and pressing the Enter key, the following output is displayed. The default DNS has been set as Google DNS. UMUC 2012 Page 12 of 37

Activity 3 On typing set type=any and pressing the Enter key, the following output is displayed. This command specifies all types of data. UMUC 2012 Page 13 of 37

Activity 4 On typing largobooks.com and pressing the Enter key, the following output is displayed. Finally, the zone transfer request is sent from your host to largobooks.com s DNS server. Going beyond the initial search results, the DNS server loads the zone information and replies with either a partial or full transfer of the zone to your host. View the command you have typed in this step and the corresponding results. Then, answer the question. UMUC 2012 Page 14 of 37

Question 2: Which of the following data is available in the screenshot? a. Web server IP address b. FTP server list c. Domain name servers list d. Mail exchange servers list Correct answers: Options a, c, and d Feedback: In the output you cannot see the FTP server list. You can see the Web server's IP address 199.58.184.57, the list of www.largobooks.com's domain name servers, and the mail exchange server's list, which is indicated by the "MX" that stands for mail exchange. This list specifies mail servers for a domain. UMUC 2012 Page 15 of 37

Review A job well done! You ve helped Krista locate the IP address and learned to work with DNS query tools. While the technical tools are no doubt important and widely used, nontechnical methods of reconnaissance are equally important to hackers. Nontechnical data is gathered by exploiting human psychology logic persuasion, needbased persuasion, and reciprocation-based social engineering. The infamous hacker Kevin Mitnick was not only tech-savvy but also a master of social engineering. Social Engineering Social engineering gives the age-old art of lies and manipulation a technological twist. Using Web-based technologies, such as chat rooms and online forums, attackers persuade or trick strangers into giving up personal information such as access codes, log-in names, and passwords. Since face-to-face interactions are not required in online conversations, social engineers can make up an identity to cheat innocent victims they meet online. This is a social approach to getting confidential data, as opposed to cracking system codes through technological means. Further Challenges Visit the Web site www.whois.net and carry out this exercise in real time using NSLookup to query the DNS. Then visit www.arin.net and enter the Web address you found in this activity. Compare the results you get from these sites. UMUC 2012 Page 16 of 37

Topic 4: Scanning What Is Scanning? In the scanning phase, hackers use different techniques to discover live systems, devices, and open ports or services. There are various types of scanning, such as IP scanning, port scanning, and vulnerability scanning. Sometimes, it is not easy to differentiate between the three preattack phases reconnaissance, scanning, and enumeration. Many of the same information-gathering techniques are used across these phases. For example, port scanning can be considered a part of reconnaissance or a part of the scanning phase. Types of Scanning IP Scanning IP scanning is a technique that can be used to identify the live systems connected to a network segment or IP range. Port Scanning Port scanning is the process of scanning a host to determine which Transmission Control Protocol ports (TCPs) or User Datagram Protocol ports (UDPs) are accessible. Vulnerability Scanning Vulnerability scanning is the process of automatically assessing networks or applications for vulnerabilities. UMUC 2012 Page 17 of 37

Topic 4: Scanning IP Scanning IP scanning is used by system administrators to check the connectivity of the hosts on the network. The most popular tool for IP scanning is ping. Ping sends an ICMP request to test which target hosts are accessible across an IP network. Target hosts that are live return ICMP reply messages. A technique such as ping sweep is used to identify a range of IP addresses or live port numbers of the target system. Based on best security practices, system administrators typically configure the firewalls or border-routers to block ICMP requests originating from outside the network. An IP scanner can be used by an inside attacker to draw a network map. UMUC 2012 Page 18 of 37

Topic 4: Scanning Port Scanning Meet Philippe Posen, a freelance security analyst. He s hard at work performing port scans. Philippe uses port scanning to search a network host for open ports. The ports can be considered open if their related service is available in the host network. After successful port scanning, Philippe will be able to identify which services are provided by the host network. There are two different kinds of port scans: horizontal and vertical scans. Horizontal and Vertical Scans UMUC 2012 Page 19 of 37

Topic 4: Scanning Types of Port Scans Hackers can perform several different types of horizontal or vertical scans. The type of scan a hacker uses is based on the type of data the hacker wants. The types of scans include the TCP connect scan, SYN stealth scan, NULL scan, ACK scan, FIN scan, and Xmas tree scan. TCP Connect Scan Connecting via a TCP is the simplest scan technique. Scenario 1 An attacker tries to establish a connection on a port of the target system by a three-way handshake. The attacker knows the target port is open if the connection is successfully established. Scenario 2 The attacker knows that the target port is closed if the packet with the reset flag (RST flag) is sent by the target host. UMUC 2012 Page 20 of 37

SYN Stealth Scan This scan is called a half-open scan because a full TCP connection is never established. Scenario 1 An attacker generates an initial SYN packet to the target. If the port is open, the target responds with an SYN/ACK. The attacker does not respond back with the ACK in this case. Therefore, a full TCP connection is never established. This is why this type of scan is sometimes called a halfopen scan. Scenario 2 Some firewalls only log established connections. Since no connection is established in an SYN stealth scan, it can pass through the firewall without being logged. However, an SYN stealth scan is not completely stealthy as many firewalls and IDSs detect SYN scans. Scenario 3 If the port is closed, the attacker receives an RST from the target. UMUC 2012 Page 21 of 37

NULL Scan From the attacker s perspective, the NULL scan is not always reliable since not all hosts comply with RFC 793. Scenario 1 An attacker sends a data packet without any flag set. No real TCP/IP packet exists without any flag set. If the port is open, the target host ignores the packet and does not respond. Scenario 2 According to RFC 793, when a packet is sent to a port with no flag set, the target responds with an RST packet if the port is closed. Some hosts send an RST packet in response to a null packet, regardless of whether the port is open or not. That s why the NULL scan is considered unreliable. FIN Scan Just like a NULL scan, the FIN scan is not reliable. UMUC 2012 Page 22 of 37

Scenario 1 An attacker sends an FIN (finish) packet to the target. The FIN packet is able to bypass firewalls because firewalls try to avoid any errors with legitimate FIN packets. The target simply ignores the FIN packet if the port is open. Scenario 2 The target responds with an RST if the port is closed. Some hosts will send an RST packet regardless of the port being open or closed, making the FIN scan unreliable. ACK Scan Attackers use ACK scanning to learn which firewall ports are filtered and which are unfiltered. Scenario 1 An attacker sends an ACK packet to the target port s firewall. If there is no response or an ICMP destination unreachable message is returned, then the port is considered to be filtered. This means that the firewall is stateful. It knows that no internal host has initiated any SYN packet that matches the ACK packet sent by the attacker. Scenario 2 If the target s firewall returns an RST, then the port is unfiltered. Because there is no firewall rule for that port, the attacker knows that the port is vulnerable. UMUC 2012 Page 23 of 37

Xmas Tree Scan This scan gets its name from the fact that all three flag sets that are sent to the target URG, PUSH, and FIN light up with different colors and flash on and off like Christmas tree lights. Scenario 1 An attacker sends a TCP packet to the remote target with the URG, PUSH, and FIN flag set. Similar to the FIN scan, an open port does not respond. Scenario 2 On the other hand, a closed port responds with an RST packet. Some hosts send an RST packet in response to a null packet, regardless of whether the port is open or not. UMUC 2012 Page 24 of 37

Topic 4: Scanning Vulnerability Scanning A vulnerability scan is a computer program that checks target networks for weaknesses. Attackers use vulnerability scans to identify all devices on a network that are open to known vulnerabilities. The Nessus tool, located at www.nessus.org, is one of the most well-known vulnerability scanners. Nessus begins by probing a range of IP addresses on a target network to find active or live hosts. After detecting all known vulnerabilities, the tool provides a report in a variety of formats. This report lists services or suggested best practices that system administrators can employ to secure the network. Attackers can use the Nessus tool to identify vulnerable and weak spots in a target network. UMUC 2012 Page 25 of 37

Topic 4: Scanning Quiz Jorge, a black hat hacker, is launching a port-scanning attack on a Web server with an IP address of 192.168.195.128. Question 1: In the packets numbered 9 19, which type of port scanning is used to attack the Web server? a. Xmas tree scan b. FIN scan c. SYN stealth scan Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option c Feedback: If you look at packets 15 and 16, the SYN and SYN+ACK packets are exchanged by the attacker and Web server. However, no ACK is sent from the attacker s host. Instead, the attacker sends a new SYN packet to the Web server. This new SYN packet clearly indicates that this is an SYN stealth scan. UMUC 2012 Page 26 of 37

Question 2: In the packets numbered 5 15, identify the type of port scanning used to attack the Web server. a. Xmas tree scan b. NULL scan c. SYN stealth scan Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option b Feedback: The SYN packets do not set a TCP flag. <NONE> indicates that no TCP flag is set. This identifies a NULL scanning attack. UMUC 2012 Page 27 of 37

Topic 4: Scanning Port Scanning Tool: Nmap What Is Nmap? Nmap is a free open source network-mapping utility that determines which hosts are available on the network and lists the services offered by these hosts. With Nmap, a system administrator can perform many types of port scans. Popular Nmap switches, options, and techniques include these: -st: TCP connect scan -ss: SYN stealth scan -sf: FIN scan -sx: Xmas tree scan -sn: NULL scan -sa: ACK scan -si: NULL scan -v: Verbose mode -p: an instruction specifying the port numbers to scan -P0 (or Pn): an instruction to not try to ping the IP addresses. Some firewalls block ICMP. -O: an attempt to detect the operating system Nmap Example Here is an example of how Nmap can be used to carry out an SYN stealth scan on a Web server. Reference: Nmap product screenshot reprinted with permission from Gordon Lyon, the developer of Nmap. UMUC 2012 Page 28 of 37

Target A Web server with an IP address of 192.168.195.128 is running. Command The Nmap command: nmap ss 192.168.195.128 is entered. Open Ports An attacker performs an SYN stealth scan on the Web server using Nmap. The output shows that ports 80, 135, 139, 443, 445, and 3306 are open. UMUC 2012 Page 29 of 37

Topic 5: Enumeration What Is Enumeration? After performing reconnaissance and scanning, if a hacker still has not identified the target system, he or she would launch an enumeration attack on the target as the final step in the preattack exercise. During enumeration, hackers employ a set of techniques to extract technical information such as user accounts, operating systems, application names, and network resources of target systems. Using Nmap A Web server with an IP address of 192.168.195.128 is running. An attacker uses Nmap to perform an SYN stealth scan on the Web server. The output shows that ports 80, 135, 139, 443, 445, and 3306 are open. 1. Target The attacker learns that the Web server running on the target network has an IP address of 192.168.195.128. 2. Nmap Tool The attacker uses Nmap to fingerprint the target Web server. The attacker enters the Nmap command Nmap ss p T:1-1023 O v Pn 192.168.195.128 to specify that the TCP stealth scan is performed with a port range of 1 through 1023 on the host IP 192.168.195.128. 3. OS Switch The attacker enables the -O switch to attempt to determine the operating system. 4. Ping The attacker specifies -Pn, which means that ping is not used. 5. OS Details Note that the operating system is Microsoft Windows XP 2003 or Microsoft XP Professional SP2. 6. Result The results show that the host server with an IP address of 192.168.195.128 has ports 80, 135, 139, 443, and 445 open and uses Microsoft Windows XP 2003 as its operating system. UMUC 2012 Page 30 of 37

Reference: Nmap product screenshot reprinted with permission from Gordon Lyon, the developer of Nmap. UMUC 2012 Page 31 of 37

Using Telnet Sometimes a hacker does not even need a sophisticated tool like Nmap. A hacker can simply use a Telnet command to grab the HTTP header and identify the type of operating system or Web server the target uses. 1. Telnet Command The attacker types the command telnet www.umuc.edu 80 to connect to the Web server www.umuc.edu. 2. HEAD Then, the attacker types HEAD / HTTP/1.0 to send an HTTP request to the Web server. 3. Apache X The telnet output displays the content of the HTTP response header received from the UMUC Web server. The HTTP header shows that the type of Web server is Apache powered by PHP. 4. Malformed HTTP Packet Using another telnet connection telnet www.umuc.edu the attacker sends a malformed HTTP packet to the Web server, which is an invalid input as HTTP 3.0 is not available. The attacker sends a malformed packet because some targets do not show any useful information if they are given a valid input. UMUC 2012 Page 32 of 37

However, when the target receives a malformed input, it returns a useful banner of information. Therefore, attackers do not always need to send a valid input to a target to get useful information. They can give an invalid input and observe an output. 5. Web Server The invalid malformed input returns some useful information: Apache Web server, HTTP 1.1, and some information that is not that useful, such as Charset. UMUC 2012 Page 33 of 37

Topic 6: Summary We have come to the end of Module 2. The key concepts covered in this module are listed below. Hackers or penetration testers carry out a preattack exercise to study the target they plan to attack. The first three phases of this preattack exercise reconnaissance, scanning, and enumeration are the most critical. The reconnaissance phase is performed in two stages: passive and active reconnaissance. During passive reconnaissance, hackers research open-source sites and groups and forums, as well as social engineering sites to gather nontechnical data about their targets. During active reconnaissance, hackers use technical tools such as Whois, NSLookup, the American Registry for Internet Numbers (ARIN), Domain Information Groper (DIG), and Traceroute to find their targets IP addresses. By using Whois or similar tools to query a domain name, hackers are able to find out the domain name, administrative contact, technical contact, and name servers of their target. The IP address of the domain name server is not revealed until hackers type the NSLookup command and perform a zone transfer. Scanning, the second preattack phase, helps hackers discover live systems, devices, and open ports in their network. There are three types of scanning: IP, port, and vulnerability scanning. IP scanning is used to identify live systems connected to a network. Port scanning is used to find accessible Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports. Vulnerability scanning is used to assess networks for vulnerabilities. There are two types of port scans: horizontal and vertical. Port scans that help hackers obtain data TCP connect scans, SYN scans, NULL scans, ACK scans, FIN scans, and Xmas tree scans can be performed as horizontal or vertical scans. Nmap is a free open source network-mapping utility that determines which hosts are available on the network and lists the services those hosts offer. With Nmap, a system administrator can perform many types of port scans. In the last phase of the preattack exercise, hackers launch an enumeration attack to identify the operating systems and user accounts of their targets. This attack is carried out using a set of techniques to extract technical information such as user accounts, operating systems, application names, and network resources. UMUC 2012 Page 34 of 37

Glossary Term Active Reconnaissance ACK Scan American Registry for Internet Numbers Domain Information Groper Domain Name Service Domain Name System Enumeration FIN Scan Footprinting Internet Control Message Protocol Nmap NSLookup NULL Scan Definition During active reconnaissance, hackers use technical tools such as Whois, NSLookup, ARIN, DIG, and Traceroute to find out their targets IP addresses. ACK scanning is a type of port scan that tells whether ports on a firewall are filtered or unfiltered. If the target s firewall returns an RST, then the port is unfiltered and vulnerable. The American Registry for Internet Numbers (ARIN) is the IP address registry for North America. ARIN allows Whoistype searches on its database to locate information on networks. The DIG command allows attackers to search the DNS database and find the open name servers attached to a domain. The Domain Name Service (DNS) translates Internet domain names, such as www.xyz.com, into Internet Protocol (IP) addresses. Domain Name System is an Internet system that associates domain names with IP addresses, allowing computers to communicate over the World Wide Web. Enumeration is the third phase in a hacker s preattack exercise. Hackers use enumeration techniques to learn technical data operating systems and user accounts about a network system. The FIN (finish) scan is a type of port scan that is able to pass through firewalls. Open ports don t respond, but closed ports respond with an RST. A method of processing or gathering information about a target system. The Internet Control Message Protocol (ICMP) integrates with the Internet Protocol (IP). It reports error, control, and informational messages between a host and a gateway. The Nmap security scanner is used to discover hosts and services on a network. Based on the network conditions, it sends packets with specific information to the target host and evaluates the responses to create a network map. The NSLookup tool queries a DNS server and performs a DNS zone transfer to gather data on a targeted network. A NULL scan is a type of port scan in which an attacker sends a data packet without any flag set. If the packet is open, the target host ignores the packet. UMUC 2012 Page 35 of 37

Term Passive Reconnaissance Penetration Testers Ping Port Scanner Reconnaissance RFC 793 Scanning Social Engineering SYN Scan TCP/IP TCP Connect Scan User Datagram Protocol Vulnerability Scanner Wget Definition During passive reconnaissance, hackers research opensource sites and groups and forums, as well as social engineering sites, to gather nontechnical data about their targets. To do this, hackers use social engineering. Penetration testers are security analysts that perform penetration tests, or pentests, to assess the security of a network system. This utility sends an ICMP echo request (ping) to a target system and waits for a reply (pong). Port scanners identify open ports and help an intruder identify a target system s weak access point. Reconnaissance is the first phase of the preattack exercise carried out by hackers to learn about the people who work at the target company and the target network s IP address. Hackers use a process called footprinting and perform two types of reconnaissance: passive and active. RFC (Request for Comments) 793 is a document which describes the DoD Standard Transmission Control Protocol (TCP). Scanning is the second preattack phase used by hackers to discover live systems, devices, and open ports on a network. Hackers perform three types of scanning: IP, port, and vulnerability scanning. Social engineering is a method of gathering information, seeking computer access, or committing fraud by using manipulation and deceit to get people to reveal confidential information about themselves or an organization. In an SYN stealth scan, the attacker sends an initial SYN packet to the target. If the port is open, the target responds with an SYN/ACK. Transmission Control Protocol/Internet Protocol (TCP/IP) is the communication protocol suite for the Internet. In a TCP connect scan, an attacker tries to establish a connection on a port of the target system by a three-way handshake. The attacker knows the target port is open if the connection is successfully established. User Datagram Protocol (UDP) is a network protocol that allows computers to exchange messages over an Internet network without the need for special transmission channels or data paths. Vulnerability scanners analyze, classify, and identify flaws and vulnerabilities in the targeted system. Located at www.gnu.org/software/wget, the wget tool is a popular and freely available Web site downloading tool. UMUC 2012 Page 36 of 37

Term Whois Xmas Tree Scan Definition A tool that allows hackers to query DNS to obtain registered information, such as the domain ownership, address, location, and phone number. To perform the Xmas tree scan, an attacker sends a TCP packet to the remote target with the URG, PUSH, and FIN flag set. As in a FIN scan, open ports don t respond, but closed ports respond with an RST. UMUC 2012 Page 37 of 37

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information