Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology

Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment

Reconnaissance Internet Network Information Center who-is database www.internic.net/whois.html Registrar s database i.e. www.networksolutions.com American Registry for Internet Numbers (ARIN) http://ww2.arin.net/whois/ Domain Name System (DNS) nslookup

Scanning: Network Mapping Ping and traceroute Cheops network mapping tool

Cheops-ng Created by Mark Spencer for Linux systems, available at http://www.marko.net/cheops/ Purpose: To provide system administrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem. This tool automates ping and traceroute.

Cheops-ng: What does it do? Finds active hosts in a network Determines the names of active hosts Discovers host operating systems Detects open ports Maps the complete network in a graphical format Monitors hosts

Cheops-ng: How does it work? Utilizes ICMP ping packets to search a network for alive hosts Domain Name Transfers (nslookup) are used to list hosts Invalid flags on TCP packets (queso) are used to detect the OS Half-open TCP connections are used to detect ports UDP packets with small TTL values are used to map the network Normal connect sequences are used to conduct monitoring

Scanning:Port scanning (1) Why: To find open ports in order to exploit them. How: TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan TCP SYN Scan -- half-open scan, look for SYN-ACK, then send RESET, target system will not record connection, also faster than TCP connect scan TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing (Windows does not respond to these scans)

Port scanning (2) How (cont.): TCP ACK Scan -- may be useful to get past packet filters (believes it is a response to a request from inside firewall), if receive RESET, know this port is open through firewall FTP Bounce Scan -- request that server send file to a victim machine inside their network (most servers have disabled this service) UDP Scan -- unreliable, if receive ICMP Port Unreachable, assume closed, otherwise open Ping Sweep-- can use ICMP or TCP packets

Port scanning (3) Additional Info: Decoys -- insert false IP addresses in scan packets Ping Sweeps -- identify active hosts on a target network Find RPCs -- connect to each open port looking for common RPC services (send NULL RPC commands)

OS detection Why: To determine what Operating System is in use in order to exploit known vulnerabilities. Also known as TCP stack fingerprinting. Take advantage of ambiguity of how to handle illegal combinations of TCP code bits that is found in the RFCs. Each OS responds to illegal combinations in different ways. Determine OS by system responses.

Nmap Purpose: To allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering. Available at: http://www.insecure.org/nmap/

Nmap: What does it do? Port scanning OS detection Ping sweeps

Nmap: How does it work? Use the following Scan techniques : UDP TCP connect() TCP SYN (half open) ftp proxy (bounce attack) Reverse-Identification ICMP (ping sweep) FIN ACK sweep Xmas Tree SYN sweep IP Protocol Null Scan

Nmap: How does it work? (2) Uses the following OS detection techniques TCP/IP fingerprinting stealth scanning dynamic delay and retransmission calculations parallel scanning detection of down hosts via parallel pings decoy scanning port filtering detection direct (non-portmapper) RPC scanning fragmentation scanning flexible target and port specification.

Vulnerability Assessment (1) Vulnerabilities come from: Default configuration weakness Configuration errors Security holes in applications and protocols Failure to implement patches!

Vulnerability Assessment (2) Vulnerability checkers use: Database of known vulnerabilities Configuration tool Scanning engine Knowledge base of current scan Report generation tool

Nessus Purpose: To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. Security Scanner: A software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way. Available platforms: UNIX for client and server Windows for client only Available at: http://www.nessus.org/

Nessus: What does it do? Iteratively tests a target system (or systems) for known exploitation vulnerabilities Uses a separate plug-in (written in C or Nessus Attack scripting Language) for each security test Can test multiple hosts concurrently Produces a thorough vulnerability assessment report at the conclusion of the vulnerability scan

What does Nessus check for? Backdoors CGI abuses Denial of Service Finger abuses FTP Gain a shell remotely Gain root remotely Port scanners Remote file access RPC SMTP problems Useless services Windows and more...

Summary Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Cheops, Nmap, Nessus