Common Network Attacks

Transcription

1 Common Network Attacks David J. Marchette Common Network Attacks p.1/96

2 Outline Some Common Attacks SHADOW EMERALD ADAM Utilities Common Network Attacks p.2/96

3 Terminology Active. Requires action on the part of the person or system to gather information. Passive. Relies on information gathered without any action (e.g. without sending any packets). Fingerprinting. Determining the Operating System of a machine by investigating packets/responses from the machine. Common Network Attacks p.3/96

4 Terminology Stateful. A system (intrusion detection, firewall, etc) is stateful if it retains information of the state of TCP sessions. Common Network Attacks p.4/96

5 References Northcutt, Network Intrusion Detection: An Analyst s Handbook Common Network Attacks p.5/96

6 Outline of an Attack Find out what machines are on the net: IP scan. Find out what OS/version they are running: Fingerprinting. Find out what services they are running: Portscan. Attack the vulnerable. Common Network Attacks p.6/96

7 Comments on Attack Outline Not all attacks follow all these steps. Some attacks skip all of them (denial of service). Attacks that follow the pattern are usually trivial to detect. Attacks that follow the pattern sometimes still succeed! Even when the pattern has been detected! Common Network Attacks p.7/96

8 Attack Types Denial of Service (DOS). Probes and Network Mapping. Fingerprinting. TCP Hijacking. Other ways to gain access. Common Network Attacks p.8/96

9 DOS: Land Attack A single packet attack. A packet is sent with both the source and destination IP address set to the target machine. Locks up the machine (only works on older systems). Note: This, like most attacks, requires the attacker to carefully craft packets. This attack only worked because of a bug in the IP stack of some operating systems. Common Network Attacks p.9/96

10 DOS: Ping of Death Another single packet attack. A ping (ICMP echo request) is sent to the target machine with an illegally long payload (greater than 64K). Locks up the machine (only works on older systems). Note: some versions of ping allowed one to do this. So novices could use this attack without any coding skills. Common Network Attacks p.10/96

11 DOS: Teardrop Another single packet attack. A UDP packet is sent fragmented, with the fragments overlapping. Locks up the machine (only works on older systems). Common Network Attacks p.11/96

12 More Attacks with Fragments Suppose a TCP packet has been fragmented, and the attacker knows the IP ID. The attacker can send new fragments with the same IP ID, overwriting the legitimate data. The TCP header is left alone, so it is a legitimate packet as far as the receiving computer knows. The attacker must take care that the checksum is correct. Common Network Attacks p.12/96

13 DOS: UDP Storm Another single packet attack, in principle. Was the attack-du-jour for a while in A UDP packet is sent with: Source IP victim1. Destination IP victim2. Source port 7 (echo). Destination port 19 (chargen). Causes the two victim machines to attack each other. Common Network Attacks p.13/96

14 Notes on Old Attacks These attacks only work on older systems. This does not mean they will never work again. These take advantage of errors (bugs) in the programming of the operating systems. This illustrates the basic idea of many attacks: find an error and exploit it. Common Network Attacks p.14/96

15 Notes on Old Attacks Note that code reuse and poor programming habits can make some old attacks viable again. How might one have designed a system that would detect the above attacks before they were known? Common Network Attacks p.15/96

16 DOS: SYN Flood Send a lot of SYN packets to the target. These start half-open connections. If enough connections are started before they start to time out, the connection table can fill up. The machine crashes, or cannot service legitimate connections. Common Network Attacks p.16/96

17 DOS: SYN Flood Note that the packets needn t have the source address of the attacker. In fact, they should have an unreachable source to ensure that the SYN/ACKs are never answered. In actual implementations, the attack usually does not use unreachable sources, but rather selects the sources at random (or arbitrarily). Common Network Attacks p.17/96

18 DOS: Process Table Similar to the SYN flood. Initiate a lot of TCP connections. Requires an application that will accept the connections. Each connection forks a process. If enough connections are forked the process table fills up. Common Network Attacks p.18/96

19 DOS: Process Table Notes Note that the attacker must appear in the source IP address, since it must answer the SYN/ACKs. But if it s clever, it need not fork any processes. This is a good attack to implement as a distributed denial of service. By using many compromised computers, the attacker hides his identity while multiplying the effectiveness of the attack. Common Network Attacks p.19/96

20 DOS: Targa3 Send a lot of malformed packets: Invalid fragmentation, protocol, packet size, or IP header values; Invalid options; Invalid TCP segments; Invalid routing flags. These either crash the system, or use up resources while dealing with the strange packets. Common Network Attacks p.20/96

21 DOS: Targa3 Notes The attacker need not appear in the source IP, since it doesn t need to handle any responses. There need be no particular pattern to the malformed packets. However, patterns in these might provide a way to fingerprint the attack software. Common Network Attacks p.21/96

22 DOS: Smurf Send a lot of ping packets (echo requests) to an intermediary network with the victim as source IP. These all generate echo replies, which all get sent to the victim. Using broadcast (255) greatly magnifies the effect (assuming the intermediary network doesn t ignore broadcasts). Common Network Attacks p.22/96

23 DOS: Smurf Picture Intermediary Network x.x Attacker Target ICMP echo requests From: Target (spoofed) To: Common Network Attacks p.23/96

24 DOS: Smurf Picture Intermediary Network x.x Attacker Target ICMP echo replies From 1000s of machines Common Network Attacks p.23/96

25 DOS: Smurf Picture Intermediary Network x.x Attacker Target Target goes down under the flood. Note: Attacker is invisible to the target. Common Network Attacks p.23/96

26 DOS: Syslogd There are innumerable attacks that utilize a bug in an application. Old versions of the syslogd daemon on Solaris would crash if sent a packet from a source with no DNS entry. Who would let a syslog packet in from outside the firewall anyway? This attack is from the good old days, before firewalls were common. Common Network Attacks p.24/96

27 DOS Notes There are two generic types of denial of service attacks: Ones in which the attacker takes an active (and detectable) part. Spoofing attacks, where the attacker does not show up on the packets sent to the victim. How can one determine who the attacker is? How does one stop such attacks? Common Network Attacks p.25/96

28 Network Mapping How do you find a victim to attack? Some are well known: ebay, amazon, Microsoft, etc. Sometimes the attacker is after a specific individual/organization. Even if you know you want to attack Widgets-R-Us, how do you decide which machines are vulnerable? One answer is to scan/map the network. Common Network Attacks p.26/96

29 Network Mapping Light ping If this works, every machine on xxx.xxx will respond. It probably won t work. Many organizations don t allow broadcast packets through their firewalls. If it did work, it would probably flood your machine, and produce a denial of service against yourself! Common Network Attacks p.27/96

30 Network Mapping the Hard Way ping ping ping Can be automated, and will work, assuming it isn t blocked by a firewall. It is extremely easy to detect. It can take a while to go through all the possible addresses. To this day people (script kiddies) will do this. Common Network Attacks p.28/96

31 Stealthy Network Mapping There are several ways to make the mapping harder to detect: 1. Use packets that people expect to see, and will ignore (echo requests used to work here). 2. Use packets that are not normally logged. (example: TCP SYN/ACK) 3. Randomizing the IPs scanned. 4. Spreading out the timing (low and slow scans). 5. Using multiple source IPs. Common Network Attacks p.29/96

32 Stealthy Network Mapping 6. Using different packets for the scan (some icmp, some udp, etc.). 7. Only scan a subset of the network. Common Network Attacks p.30/96

33 Inverse Mapping Uses the Internet error mechanism to the attacker s advantage. Example: Send a TCP packet with the RESET flag set. If the packet reaches its destination, the packet is dropped. If the final router cannot deliver the packet, it sends back a host unreachable (ICMP) error message. The packets that don t generate a response went to machines that exist. Common Network Attacks p.31/96

34 Inverse Mapping Example Attacker sends RESET packets. V6 V5 A V4 V3 V2 V1 Common Network Attacks p.32/96

35 Inverse Mapping Example Router sends Host Unreachable responses. V6 V5 A V4 V3 V2 V1 Common Network Attacks p.32/96

36 Inverse Mapping Example Attacker knows the victim s machines. V6 X V5 A V4 X V3 V2 V1 Common Network Attacks p.32/96

37 Inverse Mapping Notes The attacker knows nothing about the machines on the victims network except which ones are there. The victim s machines each receive a single RESET packet. Intrusion detection systems often ignore RESET packets. RESET packets happen all the time, and unless one has a stateful system, one cannot tell if a single RESET packet is normal. Even stateful firewall may have time-outs that are short relative to the times observed in real networks, and may flag normal RESETs (hence may be ignored). Common Network Attacks p.33/96

38 Inverse Mapping Notes Look for many RESET packets from the same machine to many machines. Drop RESET packets without a response if they are to IP addresses that aren t populated. Common Network Attacks p.34/96

39 Port Mapping The attacker is looking for specific services. There are several variations: Brute force: scan all 65,536 ports (UDP and TCP). Be selective: scan for a few services such as ssh, telnet, ftp, web, etc. Be very selective: scan for a single service. Common Network Attacks p.35/96

40 Port Mapping Sometimes this is done by a program, such as a trojan or worm. Once a machine is found running a given service, that information is retained for future targeting. Brute force is easy to detect. To detect slow scans you need to study how often machines normally send packets to closed ports. Common Network Attacks p.36/96

41 Stealthy Port Mapping One way to avoid getting caught at port mapping is to make sure your IP address does not appear in the packet. This seems problematic however: how do you find out if the port is open? Recal that if the port is open, a SYN/ACK is sent in response to a SYN. If it is closed, a RST is sent. Note also that if an unsolicited SYN/ACK packet is received, a RST packet is sent, while unsolicited RST packets are ignored. Common Network Attacks p.37/96

42 Patsies (Idle Scan) Suppose you can find a computer that increments its IP ID number in a predictable manner. Call this machine Patsy. You want to determine if another machine, Victim, has a particular port open, port P. Start pinging Patsy (ICMP echo requests, for example). Each reply shows the IP ID incremented. Send a SYN packet to port P on Victim, with Patsy as the source. If the port is open, a SYN/ACK is sent to Patsy, Patsy sends a RST, and you observe a skip in the IP ID in your ping stream. If the port is open, a RST is sent to Patsy, and there is no skip in IP IDs. Common Network Attacks p.38/96

43 What to do about Patsies The good neighbor approach: don t be a patsy: Make your IP ID unpredictable. This can be done by adding a (small) random number to the IP ID instead of incrementing it. The don t be a victim approach: Change the TCP stack so that when a SYN is received at a closed port, you send a RST followed by an ACK. The ACK packet will generate the RST that increments the IP ID. Note: firewalls can t help, since the whole point is that closed ports don t cause an effect. Common Network Attacks p.39/96

44 Downsides The good neighbor approach requires everyone to change, which can be a problem, especially with entrenched systems. The don t be a victim approach adds packets, and thus decreases efficiency. A combination of the two is what we have, and is probably the best. Common Network Attacks p.40/96

45 Fingerprinting (Active) Fingerprinting uses the fact that implementations are free to make choices about how to react to certain types of packets (e.g. improperly formed ones). The idea is to send a series of crafted packets, and see what the response is. Based on the responses to the packets, a determination can be made as to the operating system of the target. Common Network Attacks p.41/96

46 Fingerprinting (Active) This is used by attackers to determine the best attack to use. System admins use this to see if machines meet their accreditation specs. This assumes the target system hasn t been modified to simulate another OS. It is not perfect, but most active fingerprinting programs are pretty good. Common Network Attacks p.42/96

47 Fingerprinting (Passive) Operating systems also make choices when they send packets out. For example: Initial Time-to-live value. Source port range. Sequence number generation algorithm. Options. DF flag set? Type of Service Window Size. Common Network Attacks p.43/96

48 Fingerprinting (Passive) These can, to some extent, be used to determine the operating system of a machine passively. No packets need be sent to the machine, so there is no way to tell if you have been (passively) fingerprinted. This is truly a statistical problem. Common Network Attacks p.44/96

49 A Comment about TTL Note that you never see the TTL value set by the remote machine. You see the TTL decremented by an unknown number of routers. So, you observe T δ where T is the original TTL and δ is a random positive integer. Common Network Attacks p.45/96

50 A Comment about Source Ports Different operating systems/applications choose different source port ranges. However, for any session, you only see one source port. Thus, source port range is only useful over a long time. How do you estimate the source port range? Common Network Attacks p.46/96

51 TCP Hijacking Made famous by Kevin Mitnick. Uses a quirk of TCP sessions to allow an attacker to take over a session between two computers. Relies on information gathered about the machines by the attacker. Relies on sequence number algorithms that are easy to predict. For example: use the next number in the sequence, or add 1007 to the previous sequence number. Common Network Attacks p.47/96

52 TCP Hijacking Setup Setup: Machine A and machine B have a trust relationship, allowing machine B to log into machine A without requiring a password. Attacker must first determine the sequence number algorithm machine A uses. This can be accomplished by sending a bunch of SYN packets to A and see what the responding sequence numbers look like. If these are predictable, then the hijacking has a chance. Common Network Attacks p.48/96

53 TCP Hijacking Details Attacker SYN floods machine B to make sure it doesn t respond to anything from A. Attacker sends a SYN packet to A spoofed to appear to be from B. A responds to B with a SYN/ACK. Attacker then sends an ACK packet with the correct (inferred) acknowledgment number. A thinks this is part of the session and proceeds as if it were talking to B. Common Network Attacks p.49/96

54 TCP Hijacking Details The attacker could in principle carry on this hijacked session as if it were a real session. Instead, the attacker sends the commands to put ++ in the.rhosts file. This makes the victim trust everyone, and the attacker can now access the machine remotely. Common Network Attacks p.50/96

55 TCP Hijacking Example Machine A Machine B Attacker Attacker sends SYN packets to A to determine it s sequence number generator. Common Network Attacks p.51/96

56 TCP Hijacking Example Machine A Machine B Attacker Attacker SYN floods Machine B. Common Network Attacks p.51/96

57 TCP Hijacking Example Machine A Machine B X Attacker Machine B goes down. Common Network Attacks p.51/96

58 TCP Hijacking Example Machine A Machine B X Attacker Attacker sends SYN packet to A spoofed as if from B. Common Network Attacks p.51/96

59 TCP Hijacking Example Machine A Machine B X Attacker A sends SYN/ACK to B which is ignored since B is down. Common Network Attacks p.51/96

60 TCP Hijacking Example Machine A Machine B X Attacker Attacker sends ACK packet to A completing the handshake. Common Network Attacks p.51/96

61 TCP Hijacking Example Machine A Machine B X Attacker A thinks it has an open session with a trusted machine. Common Network Attacks p.51/96

62 TCP Hijacking Example Machine A Machine B X echo ++ >.rhosts Attacker Attacker sets A to trust his machine. Common Network Attacks p.51/96

63 Stopping Hijacking Don t be trusting. Use a hard to predict sequence number generator. Watch for sequence number guessing attempts. Block all access to attackers at the firewall (if it SYN floods, block it). This last is potentially dangerous (what if the SYN flood appears to come from your ISP?). Common Network Attacks p.52/96

64 Are Sequence Numbers Predictable? 1e+09 2e+09 3e+09 y[,2] 0e+00 1e+09 2e+09 si+1 si si+2 si+1 2e+09 1e+09 0e+00 1e+09 2e+09 3e+09 4e+09 y[,1] Common Network Attacks p.53/96

65 Are Sequence Numbers Predictable? s i+1 s i s i+2 s i+1 y[,2] 3e+09 2e+09 1e+09 0e+00 1e+09 2e+09 4e+09 2e+09 0e+00 2e+09 y[,1] Common Network Attacks p.54/96

66 Are Sequence Numbers Predictable? s i+1 s i s i+2 s i+1 y[,2] 2e+09 1e+09 0e+00 1e+09 2e+09 3e+09 4e+09 2e+09 1e+09 0e+00 1e+09 2e+09 3e+09 4e+09 y[,1] Common Network Attacks p.55/96

67 SHADOW Secondary Heuristic Analysis for Defensive Online Warfare Guess which came first, the acronym or the name. Uses a tcpdump sensor outside (and/or inside) a firewall to collect all the packet headers within one hour. Sensor files transfered each hour (via SSH) to an analysis station. Common Network Attacks p.56/96

68 SHADOW Headers filtered with tcpdump filters and perl scripts and sent to a web page. Analyst reviews the web page and reports attacks or suspicious activity. Includes ability to search past data, do whois lookups, and nmap machines. Common Network Attacks p.57/96

69 SHADOW Collects some statistics on traffic. Newest version allows some reduction: > [1-255].[1-78] > [ ] Automates some of the tedium of generating reports. Relies on the analyst for all decisions. Not real time. Always at least 1 hour after the fact. Does not take any action. Purely a monitoring system. Common Network Attacks p.58/96

70 Typical SHADOW Installation Sensor Analysis Firewall Internet Internal Network Common Network Attacks p.59/96

71 It s free. SHADOW Advantages It is easily configurable to one s network. It looks at all the traffic (headers) coming in or going out of the network. Simple web interface for the analyst. SANS has many classes that are based around the SHADOW idea. Quickly points out misconfigurations on your network. Supports multiple sensors. Common Network Attacks p.60/96

72 SHADOW Disadvantages No support. You are on your own. Not real time. Does not look at content, hence many attacks are not detectable. However, one can easily add a snort sensor alongside the tcpdump. You MUST know your network well in order to use this well (some would call this an advantage). Common Network Attacks p.61/96

73 SHADOW Disadvantages Since no processing is done on the sensor, the transfer of the data can impact the network, unless a subnet is used between the sensor and the analysis station. Common Network Attacks p.62/96

74 EMERALD Event Monitoring Enabling Responses to Live Disturbances. Environment for scalable, distributed ID and network monitoring. Hierarchical model, highly modular. Employs anomaly detection engines utilizing probabilistic models of normal, attack and anomalous behavior. Common Network Attacks p.63/96

75 EMERALD Three basic levels of processing: Service Monitors. Domain Monitors. Enterprise-wide Monitors. Common Network Attacks p.64/96

76 EMERALD Monitors Four computational units: Signature based IDS. Statistical profiling/anomaly detection. Resolver, for fusing alerts, responding to attacks, and communicating to other monitors. Resource object, for configuration management. Common Network Attacks p.65/96

77 EMERALD Monitors These tend to be stand-alone and self contained. May be passive (reading logs, monitoring network) or active (scanning and probing). Common Network Attacks p.66/96

78 Signature Engine Analogous to a set of SHADOW filters or snort ruleset. Utilizes a set of rules defining a signature of a known attack. Can be configured individually to the situation. Common Network Attacks p.67/96

79 Profiler Statistical anomaly detector. Uses NIDES (next-generation intrusion detection expert system) to statistically profile the network or host. Allows the detection of new attacks, since they presumably look different than normal traffic. Common Network Attacks p.68/96

80 Resolver Coordinator between the other monitors and IDS systems. Correlates results from profiler and signature engine. Communicates detections to higher levels in the hierarchy. Common Network Attacks p.69/96

81 Resource Object Contains all the information about data feeds, rule sets, etc. Essentially the configuration mechanism for the module. Common Network Attacks p.70/96

82 Service Monitors Lowest level of the hierarchy. Individual ID systems or sensors. Host-based IDS or network monitors for small networks. Communicate to the domain monitors, and to other service monitors. Common Network Attacks p.71/96

83 Domain Monitors Correlate the results from the Service Monitors. Same basic components as the Service Monitors. Provide an overall picture of the health of the site. Look for higher level correlations that are not visible at the lower level. Common Network Attacks p.72/96

84 Enterprise Monitors Correlate the results from the Domain Monitors. Same basic components as the Service Monitors. Provide an overall picture of the health of the entire organization, across several sites. Look for network-wide threats like worms, distributed attacks, etc. Common Network Attacks p.73/96

85 ADAM Audit Data Analysis and Mining, GMU. Network based anomaly detector. TCP/IP monitor, looks for DOS, scans. Data mining: mining association rules. Common Network Attacks p.74/96

86 Association Rules An association rule is a way of expressing a relationship of the form If A then B, written as A B. Network based anomaly detector. Given a data set X, look for patterns where: A and B both occur together. A B has support s if they occur s% of the time. A B has confidence c if c% of the times that A occurs, B does as well. Common Network Attacks p.75/96

87 Association Rules This provides a way of encoding patterns. These association rules are learned from the data. Common Network Attacks p.76/96

88 ADAM Processing Three modules: Preprocessing engine. Data Mining (rule set extraction) engine. Classification Engine. Involves a training phase and a detection phase. Common Network Attacks p.77/96

89 ADAM Processing Looks for static rules: things that have high support in the whole data set. Global patterns. Also looks for dynamic rules: uses a sliding window to look for local patterns. Uses header fields: Time. Source/Destination IP. Source/Destination port. TCP flags. Common Network Attacks p.78/96

90 Performance Emerald and ADAM were first and second in the 1999 DARPA evaluation (by some measures). This was a test on simulated data. Researchers were given a data set with truth (attacks and normal traffic notated). Researchers were then given a test set without truth, and had to detect the attacks. No system performed perfectly. One could argue that none performed adequately. Common Network Attacks p.79/96

91 SANS Top 20 List Common Network Attacks p.80/96

92 An Example Microsoft FAQ What is the scope of the vulnerability? This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. However, attempts to exploit this vulnerability could most likely result in a denial of service condition. What causes the vulnerability? An unchecked buffer in the Print Spooler service. Common Network Attacks p.81/96

93 Continued What is Print Spooler service? The Print Spooler service, Spoolsv.exe, is an executable file that is installed as a service. The spooler is loaded when the operating system starts, and it continues to run until the operating system is shut down. The Print Spooler service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs. When the tasks for a particular print job are complete, the Print Spooler service passes the job to the print router. For more information about the Print Spooler service, visit the following Web site. Common Network Attacks p.82/96

94 Continued What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability for remote code execution could take complete control of the affected system. On Windows XP Service Pack 2 and Windows Server 2003 this issue would result in a denial of service condition. On other operating system versions, attempts to exploit this vulnerability would most likely result in a denial of service condition. However remote code execution could be possible. Common Network Attacks p.83/96

95 Continued Who could exploit the vulnerability? On Windows 2000 and Windows XP Service Pack 1, any anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability. On Windows XP Service Pack 2 and Windows Server 2003, this vulnerability is restricted to authenticated users. An authenticated attacker may also be able to log on locally to a system and attempt to exploit this vulnerability on all affected operating system versions. Common Network Attacks p.84/96

96 Continued How could an attacker exploit the vulnerability? An attacker could try to remotely exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code on operating system versions and configurations that were vulnerable to remote attack vectors. By default, Windows 2000 and Windows XP Service Pack 1 are vulnerable remotely. A remote attack vector cannot be created on Windows XP SP2 or on Windows Server 2003 unless a user who has appropriate permission shares a printer or tries to connect to a shared printer. To locally exploit this vulnerability on all operating system versions, an attacker would first have to log on to the system. An attacker could then run a specially-crafted application that could exploit the vulnerability. Common Network Attacks p.85/96

97 Continued What systems are primarily at risk from the vulnerability? Windows 2000 and Windows XP Service Pack 1 are primarily at risk from this vulnerability. Windows XP Service Pack 2 and Windows Server 2003 systems are at a reduced risk because of the additional mitigating factors that exist on these operating system versions. However, systems configured as Printer Servers are especially at risk to this vulnerability. Could the vulnerability be exploited over the Internet? Yes. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site. Common Network Attacks p.86/96

98 Continued What does the update do? The update removes the vulnerability by modifying the way that Print Spooler service validates the length of a message before it passes the message to the allocated buffer. Common Network Attacks p.87/96

99 Utilities nmap. p0f. snort. Common Network Attacks p.88/96

100 Nmap A powerful network scanner. Can: scan for open ports perform active fingerprinting evaluate vulnerabilities act stealthy in the scans spoof IP address to make it difficult to determine the scanner Useful tool for security analysis. Useful tool for an attacker. Common Network Attacks p.89/96

101 Nmap Example nmap -ss -v -O localhost Common Network Attacks p.90/96

102 Nmap Example Adding TCP port 25 (state Open). Adding TCP port 13 (state Open). Adding TCP port 1024 (state Open). Adding TCP port 9 (state Open). Adding TCP port 111 (state Open). Adding TCP port 513 (state Open). Adding TCP port 515 (state Open). Adding TCP port 80 (state Open). Adding TCP port 21 (state Open). Adding TCP port 22 (state Open). Common Network Attacks p.91/96

103 Nmap Example Adding TCP port 22 (state Open). Adding TCP port 37 (state Open). Adding TCP port 514 (state Open). Adding TCP port 841 (state Open). Adding TCP port 1 (state Open). Adding TCP port 23 (state Open). The SYN scan took 0 seconds to scan 1068 ports. For OSScan assuming that port 1 is open and port is closed and neither are firewalled Common Network Attacks p.92/96

104 Port State Protocol Service 1 open tcp tcpmux 9 open tcp discard 13 open tcp daytime 21 open tcp ftp 22 open tcp ssh 23 open tcp telnet 25 open tcp smtp 37 open tcp time 80 open tcp www 111 open tcp sunrpc 513 open tcp login Nmap Example Common Network Attacks p.93/96

105 Nmap Example TCP Sequence Prediction: Class=trivial time dependency Difficulty=26 (Easy) Sequence numbers: C C A B Remote operating system guess: IRIX Nmap run completed - 1 IP address (1 host up) scanned in 1 second Common Network Attacks p.94/96

106 p0f Passive fingerprinting off of TCP SYN packets. Uses time-to-live (TTL) (etc) to determine likely operating system. Has extensive database of operating systems. Must estimate TTL. Common Network Attacks p.95/96

107 snort Light weight network intrusion detection system. Uses tcpdump-like filters, plus content. Extensible through plug-ins. Common Network Attacks p.96/96