Network Security. Network Scanning

Network Security Network Scanning Module 2 Keith A. Watson, CISSP, CISA IA Research Engineer, CERIAS kaw@cerias.purdue.edu 1

Network Scanning Definition: Sending packets configured to evoke a response from the target system; the result or lack of result is used to infer the configuration of the target. 2

Overview Scanning What, Why and Where Considerations nmap and other tools nmap features host discovery port states scan types output Exercises 3

Why scan? Network scanning is useful in determining the devices that exist in a network: Desktops, servers, laptops Routers, managed switches, firewalls Wireless access points Network monitoring and log collection systems Network printers and print servers IP-accessible CD-ROM drive arrays ipod Touch, iphone, Zune devices Apple Time Capsules and Airport Expresses Roku, Tivo, MythTV, Wii, Xbox, PlayStation Building and Access Management, IP cameras 4

Why scan? Network scanning is useful to determine what services exist on a network: File services (CIFS, SMB, Appletalk, NFS, FTP) Infrastructure (DHCP, DNS, Bootp, TFTP, SNMP) Authentication (AD services, LDAP, Kerberos) Remote Access (VPN, SSH, Remote Desktop) Printer and Scanner Sharing Web-based interfaces (printers, firewalls, WAPs) Peer-to-Peer file sharing Network game servers Backdoors 5

What do we scan? Specific systems Examine new systems placed on the network Verify network service configuration Re-check network service configuration Examine existing systems for changes in config Network segments Scan all systems on specific networks (lab, classroom, admin, test networks, DMZ) Scan the entire network space to look for rogue systems 6

From where do we scan? The position from which you scan can change the results Firewalls From inside, you will see more information From outside, you should see very little Routers w/acls If you are not scanning across ACLs, you will see more Scanning from multiple positions in the network will give you a better picture of the network security configuration 7

Things to Consider Network scanning can harm your network At least temporarily... Older systems may crash or hang Building management systems may do weird stuff The network performance may be impacted Network devices may drop packets Systems may generate significant amounts of log messages ID systems should be alerting when scans occur You probably shouldn t be scanning at peak times of network operation 8

Tools Available nmap, version 5 ipod Touch / iphone tools Net Scan ($0.99) inet ($3.99) Network Utility (Pro version: $0.99) iportscan PRO ($0.99) Portscan ($1.99) Mac: Network Utility application hping3 BackTrack bundled tools 9

nmap features multiple host discovery methods multiple scan methods service and version detection OS detection intrusion detection evasion techniques setting source port (20, 53, 67, 88), randomization performance tuning scripting engine runtime feedback multiple output types (txt, XML, l33t, grep) 10

nmap interfaces Command line nmap is designed to be used from the CLI all options and modes can be specified Graphical User Interface Zenmap is a GUI interface for nmap There are others but they are older, may not work 11

nmap target selection Targets can be IP addresses, hostnames, FQDNs, networks Listed as the last parameters on CLI Examples poly-server.cerias.purdue.edu purdue.edu/24 128.10.247.10,128.10.247.20,128.10.246.0/24 128.10.247-250.1-254 Use -il <file> to read targets from a <file> Use --exclude <host1>[,<host2>,...<hostn>] to exclude specific targets 12

nmap host discovery Host discovery is the process of determining what systems are on the network What s the traditional method for determining if a system is on the network? Ping (ICMP, Echo Request) nmap has additional methods 13

Ping Example Source Target ICMP Echo Request ICMP Echo Reply 14

nmap host discovery Host discovery is necessary to avoid scanning dead IP addresses where no system is responding for that address Proper host discovery can shorten large address range scans Using a UDP echo request (ping) may not be effective if the system s firewall blocks them Other nmap host discovery methods may be necessary 15

nmap host discovery Disable ping (-PN) Skips host discovery entirely List scan (-sl) Performs reverse DNS lookup Gets a target list Ping scan (-sp) Reports responding hosts only Uses ping, TCP SYN to port 443, TCP ACK to port 80, ICMP timestamp request to find hosts 16

nmap host discovery TCP SYN ping (-PS <portlist>) SYN sent to specified ports (default: 80) Host is up if SYN/ACK or RST received TCP ACK ping (-PA <portlist>) ACK sent to specified ports (default: 80) Host is up if RST received UDP ping (-PU <portlist>) Empty UDP packet sent to specified ports (default: 40125) Host is up if ICMP port unreachable received 17

TCP Connection Establishment Source Target SYN SYN+ACK ACK 18

SYN Ping Source Target SYN SYN+ACK Target is Up! 19

SYN Ping Source Target SYN RST Target is Up! 20

SYN Ping Source Target SYN Target is Down 21

nmap host discovery SCTP INIT ping (-PY <portlist>) Sends SCTP INIT packet to specified ports (default: 80) Host is up if any response received ICMP ping types (-PE, -PP, -PM) -PE is an echo request -PP is a timestamp request -PM is a address mask request Host is up if any ICMP reply received 22

nmap host discovery IP Protocol ping (-PO <protocollist>) Sends a packet with the specified protocol number in the header (default: send packets for ICMP, IGMP, IP-in-IP) Host is up if any response received ARP ping (-PR) Sends an ARP request on the local ethernet network Host is up if any response received Other ping methods are not used 23

nmap host discovery Common ports to use in host discovery Windows: TCP/135, UDP/137, UDP/138, TCP/139, TCP&UDP/445, TCP&UDP/1025-1030, TCP/3389 UNIX: TCP/21, TCP/22, TCP/23, TCP/25, UDP/53, TCP/80, TCP&UDP/111, UDP/161, UDP/514 Network devices: TCP/22, TCP/23, UDP/53, UDP/ 67-68, TCP/80, TCP/443, UDP/161 Bottom line: Unless your host is blocking standard ICMP pings, you can stick to the default host discovery methods 24

nmap port states open Accepts TCP, UDP, SCTP connections closed Responds but no application is listening filtered Little info available to determine actual state Firewalls may be dropping probes unfiltered Port accessible, but state cannot be determined Reported by ACK; other scans needed 25

nmap port states open filtered Unable to determine if port is open or filtered Reported by UDP, IP Protocol, FIN, NULL, Xmas closed filtered Unable to determine if port is closed or filtered Reported by IP ID idle 26

nmap scan modes TCP SYN scan (-ss) Starts TCP three-way handshake Open if a SYN/ACK received Closed if RST received Filtered if ICMP error or no response received TCP connect scan (-st) Opens TCP connection, sends no data Uses OS libraries to determine state 27

nmap scan modes UDP scan (-su) Sends empty UDP packet Closed if ICMP port unreachable received Filtered if other ICMP received Open filtered if there is no response Scan can be very slow, due to timeout periods SCTP INIT scan (-sy) Sends an empty SCTP INIT chunk Open if INIT-ACK received Closed if ABORT received Filtered if ICMP error or no response received 28

nmap scan modes NULL scan (-sn) Sends TCP packet with no header bits set FIN scan (-sf) Sends TCP packet with FIN set Xmas scan (-sx) Sends TCP packet with FIN, PSH, URG set Responses to NULL, FIN, Xmas: Closed is RST received Filtered is ICMP error received Open Filtered with no response 29

nmap scan modes TCP Window (-sw) and Maimon (-sm) scans Rely on implementation details in specific systems IP Protocol scans (-so) Determines what IP protocols are supported FTP Bounce scans (-b <ftprelay>) Old FTP server bug Idle scan (-si <zombie>) Can map out trust relationships between systems Custom TCP scan (--scanflags) Generate packets with specific headers flags 30

nmap port specification Port numbers are associated with specific network services or applications (1-65535) Most port number assignments are fixed Assigned by IANA Without specifying ports, nmap choose the 1000 most common ports to scan for each protocol 31

nmap port specification Specify additional ports with -p option -p- or -p1-65535 -p U:53,137,161,T:21,22,25,80,443,8080 Fast scan (-F) Scans only 100 common ports Avoid port randomization (-r) Scan port numbers in order 32

nmap fingerprint modes nmap attempts to detect the OS version based on fingerprinting the TCP stack Quirks and implementation details can be evaluated and compared against a database of known TCP stack implementations OS detection (-O) 33

Other options/features Service and Version detection (-sv) Attempts to determine the versions of software Timing and Performance options Retries, timeouts, delays, rate limiting, scan rates Scripting Engine Includes library of scan functions Write your own scripts Firewall/IDS Evasion and Spoofing Attempts bypass firewalls Attempts to avoid intrusion detection systems 34

nmap output example 1 golgafrincham:~ admin$ sudo nmap -sp dis Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-05 14:34 EST Host 128.10.247.70 is up (0.00015s latency). MAC Address: 00:11:43:A0:98:42 (Dell) Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds 35

nmap output example 2 golgafrincham:~ admin$ sudo nmap -ss dis Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-05 14:23 EST Interesting ports on 128.10.247.70: Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:11:43:A0:98:42 (Dell) Nmap done: 1 IP address (1 host up) scanned in 17.08 seconds 36

nmap output example 3 golgafrincham:~ admin$ sudo nmap -O milliways Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-05 14:38 EST Interesting ports on 128.10.247.50: Not shown: 996 filtered ports PORT 22/tcp STATE SERVICE open ssh 9101/tcp open jetdirect 9102/tcp open jetdirect 9103/tcp open jetdirect MAC Address: 00:B0:D0:DB:A5:56 (Dell Computer) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: FreeBSD 7.X OS details: FreeBSD 7.0-RELEASE-p1-7.1-RELEASE Network Distance: 1 hop 37

saving nmap output nmap output can be saved as Text (default): -on <file> XML: -ox <file> l33t: -os <file> Grepable: -og <file> All at once: -oa <basename> Verbose output (-v) Debugging (-d <level>) many others too... 38

nmap output differencing Differencing provides a method to see changes over time golgafrincham:~ admin$ ndiff yesterday.xml today.xml -Nmap 5.00 at 2009-11-05 14:59 +Nmap 5.00 at 2009-11-05 15:01 128.10.247.50, 00:B0:D0:DB:A5:56: -Not shown: 999 filtered ports +Not shown: 998 filtered ports PORT STATE SERVICE VERSION +23/tcp open telnet 39

I hate command lines... nmap includes a GUI tool called Zenmap It is a simple interface for constructing the command line options for nmap Notice that as you choose options, the command line listed changes The Zenmap output is the same as nmap It s a learning tool for nmap parameters For our exercises you can use which ever tool you are comfortable with 40

Let s get started... Boot up BackTrack if you haven t already OR Install nmap on your machine Connect to the exercise network 41

Exercise 1 Using Zenmap or nmap do a SYN scan on 192.168.1.20 What ports are open? 42

Exercise 2 Use Zenmap or nmap to do an OS detection scan against 192.168.1.25 What operating system does this machine have? 43

Exercise 3 Scan targets in the range of 192.168.1.20-26 Choose any scan method What OSs are used? What services are available? With everyone scanning at once watch for and note network side effects? 44

Exercise 4 Experiment with Zenmap and nmap Any IP on 192.168.1.0 is a target Attempt different scan modes and attempt to determine the OS and ports open/closed 45

End of Module 2 Questions? 46