Internet-Wide Port Scanners Some history behind the development of high performance port scanners. Things to consider, and necessary preparations

Transcription

1 Internet-Wide Port Scanners Some history behind the development of high performance port scanners. Things to consider, and necessary preparations before using these tools. Internet Vulnerability masscan, zmap support : Heartbleed Attacks SYN flood Denial of Service Attack DDoS

2 Visible Internet, what does that mean? Up until the last five years the visibility of the internet has been but a very small lense. Visibility is interpreted by a methodology to get a type of view of the internet. This type of topology is comprised of the networks across the internet such as computers, and other embedded systems. That are connected. Just recently been able to derive a realistic statistical representation of the size of the internet's topology. Between multiple Internet-Wide Network studies were being researched. All major internet scanning projects had tremendous amounts of time involved in terms of research. writing high performance port scanner from scratch. high performance port scanners such as masscan, scanrand, unicornscan, and ZMap. Developed to handle the task using asynchronous functionality.

3 Nmap as a high performance port scanner. nmap is not optimised for Internet-Wide scanning. Internet has roughly 4 billion addresses. mass scan can return 100,000 results in just a few minutes. nmap can handle 100,000 ports but not very well. However, this was an off shelf open source tool used in much of the port scanning research and gathering of much of the information for the Census and survey of the visible Internet (2008). Average for scanning 1 million hosts. Nmap about 45 minutes. (2 probs)97.8% coverage. masscan or Zmap 0.11 seconds. (2 probs) 100% coverage.

4 Researching the internet. EFF SSL Observatory: A glimpse at the CA ecosystems (2010) 3 months 3 linux Desktop 6500 CPU hours Mining P s and Q s: Widespread weak keys in network devices (2012) 25 hours across 25 Amazon EC2 Instances (625 CPU-hours) Carna botnet Internet Census: (2012) 420,000 usurped illegally or by force, hosts. <-

5 Botnet Legitimacy!? In the name of research!!! Abstract from the their website: While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study.

6 Census and Survey of The Visible Internet(2008) Result of 2200 CPU-hours 3 months of work

7 Things to consider before using these tools. Theoretical Physical Infrastructure: Packets have overhead, ethernet 44 bytes overhead. TCP SYN packets are 40bytes overhead. -476mbs actual traffic. -524mbs of ethernet overhead < 1,488,000 packets/second TCP scanning utilizes very small packets, where overhead is larger than the content of the packet. Gigabit internet connection might just get charged for the overhead. ISP all bill at different rates so things will vary, some ISP provider offer unmetered links. Large volumes of very small packets may infringe on peering agreements and ISP might start to get mad at you. Switch may support heavy packet loads but rest of the internal infrastructure, in conjunction with the multiple hops out to the internet may not.

8 ComplainersSome things are worse than others: Heartbleed scans can generate abuse complaints weeks latter. HTTPS scans can get you put on fail2ban lists. ISP might drop you due to Co. or Org. threatening to block IP blocks, or peering agreements. Prevention: Must properly respond to abuse complaints. Put something in your user registry that explains what you are doing, and your intentions. maintain exclude list /etc/masscan/conf exclude = exclude-file = exclude.ips -these exclude list can also have messages. If Co. or Org. Won t give you there IP address you can look them up here. bgp.he.net/ search Query

9 What to do once you are legit?! Become famous! Live Demos! Written with sweet scripts... The tools available are OS, and written in C! modify modules to search for different things or to Query different things from established TCP connections similar to Banner mode in masscan.

10 Scripts that do stuff based on access... Paul Mcmillian: Does security for Python and Django products.

11 That can do things like this... Rob Graham -> <- Script results, hyperlinks to images taken from screen shots.

12 And take screen shots like this...

13 Heartbleed Attacks Is a known vulnerability in openssl/tls Disclosed in April 2014 in OpenSSL cryptographic library. A widely used implementation of the TLS protocol. SSL/TLS is a service that provides security for services such as web, , instant messaging, and some virtual private networks. Party using either the client end, or server end is vulnerable to this attack. Estimated that 17% ½ million internet secure web servers were vulnerable to the attack. This is a complicated scan but can be performed from a gigabit connection. Listing all potential servers. How a port scanner can aid in detection? TCP Connection masscan does with --banner function. will also scan for other vulnerabilities. --heartbleed

14 TCP SYN Flood type of amplification attacks. TCP/IP - 3-way handshake Client -- Server SYN (synchronize) -> SYN-ACK (acknowledge) <ACK (connection established) ->

15 Vulnerabilities, what is being exploited? Every time a server receives a request the server has to maintain message per relay. Attack exploits half open connections between, SYN message, and the final ACK that allows the service to be deallocated. IP client can provide a copy of it s IP address Forge/Spoof IP address. The IP has no way of preventing this. Fakes where the client is located. Server can t differentiate all the half open connections waiting a ACK to free allocated memory. Servers can/will effectively die, or crash. Unless N/A All connected system will send an echo response to the target that has been forged/spoofed by the attacker. Repeating several forged/spoofed IPs can eventually warrant an appropriate response. Granting access to attacker.

16 What does a port scanner have to do with, any of this? high performance port scanners send out 100 s thousands, if not millions of packets over search duration. All packets are probing certain blocks of IP addresses, at each and every port. Flood of constant TCP requests over the network simulates the behavior of <SIN> flood attack. In much the same way the masscan, and zmap for wwitools