CIT 480: Securing Computer Systems

Similar documents
INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Module 19 : Threats in Network What makes a Network Vulnerable?

A quick theorical introduction to network scanning. 23rd November 2005

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Scanning. Scanning. Goals Useful Tools. The Basics NMAP. Scanning 1 / 34

Change Management: DYNAMIC NETWORK MAPPING. LinuxWorld San Francisco Security Track. Presented by Joshua D. Abraham.

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Network Security: Scan

IK2206 Internet Security and Privacy Firewall & IP Tables

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Honeyd A OS Fingerprinting Artifice

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

CSC 574 Computer and Network Security. TCP/IP Security

Basics of executing a penetration test

Building an IPS solution for inline usage during Red Teaming

Preview from Notesale.co.uk Page 3 of 36

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

inside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN

FOCUS on Intrusion Detection: Intrusion Detection Level Analysis of Nmap and Queso Page 1 of 6

Configuring attack detection and prevention 1

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Introduction to TCP/IP networking

On Assessing the Impact of Ports Scanning on the Target Infrastructure

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Ethical Hacking Basics Course

IpMorph : Unification of OS fingerprinting defeating or, how to defeat common OSFP tools.

Nmap & Metasploit. Chun-Jen (James) Chung. Arizona State University

Stateless Firewall Implementation

ELEC5616 COMPUTER & NETWORK SECURITY

A Classification Of analyzed Detection and Improvement OS Fingerprinting and Various finger stamping scanning ports

Hands-On Ethical Hacking and Network Defense

CSCI-GA Operating Systems. Networking. Hubertus Franke

UDP and TCP. Introduction. So far we have studied some data link layer protocols such as PPP which are responsible for getting data

Configuring attack detection and prevention 1

Understand ping sweep techniques. Understand nmap command switches. List TCP communication flag types. Understand war-dialing techniques

Configuring Flood Protection

Layered Networking and Port Scanning

Handbook. Step by step practical hacking training

Computer and Network Security

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Detecting Specific Threats

Network Security. Security aspects of TCP/IP. Radboud University, The Netherlands. Autumn 2015

Computer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key

Network Vulnerability Scan

ch02 True/False Indicate whether the statement is true or false.

Network Security. Security aspects of TCP/IP. Radboud University, The Netherlands. Spring 2017

SinFP3. More Than a Complete Framework for Operating System Fingerprinting v1.0. Patrice

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Network Technology 1 5th - Transport Protocol. Mario Lombardo -

Port Scanning A Brief Introduction

Common Network Attacks

Practical Training in. IT-Security. Information gathering. - Experiment manual - Tasks. B.Sc. BG 24 M.Sc. AI MN 1 M.Sc. EB 10

network security s642 computer security adam everspaugh

Denial of Service (DoS) attacks and countermeasures

Transport: How Applications Communicate

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

TCP /IP Fundamentals Mr. Cantu

Unicornscan Documentation Getting Started

Exam Questions CEH-001

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Introduction to Network. Topics

Software Engineering 4C03 Answer Key

Computer Security and Privacy

Firewall Stateful Inspection of ICMP

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Chapter 8 roadmap. Network Security

User Datagram Protocol

The ACK and NACK of Programming

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

9. Security. Safeguard Engine. Safeguard Engine Settings

9th Slide Set Computer Networks

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

20-CS Cyber Defense Overview Fall, Network Basics

Payment Card Industry (PCI) Technical Report 11/07/2017

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Nessus Scan Report. Hosts Summary (Executive) Hosts Summary (Executive) Mon, 15 May :27:44 EDT

(Still) Exploiting TCP Timestamps

Ofir Arkin CTO

Linux Networking: tcp. TCP context and interfaces

CSCI 680: Computer & Network Security

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Pwn ing you(r) cyber offenders

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Windows Insecurity. Penetrated. v0.11

What this talk is about?

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Internet Protocol and Transmission Control Protocol

Faulds: A Non-Parametric Iterative Classifier for Internet-Wide OS Fingerprinting

Host Identity Sources

Michael Wylie. Dell Security

EEC-682/782 Computer Networks I

NAVAL POSTGRADUATE SCHOOL THESIS

6. The Transport Layer and protocols

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

502 / 504 GATEWAY_TIMEOUT errors when browsing to certain sites

Transcription:

CIT 480: Securing Computer Systems Scanning CIT 480: Securing Computer Systems Slide #1

Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting CIT 480: Securing Computer Systems Slide #2

Port Scanning Port scanning is a method of discovering potential input channels on a host by proving the TCP and UDP ports on which services may be listening. CIT 480: Securing Computer Systems Slide #3

nmap TCP connect() scan > nmap -st scanme.nmap.org Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26 Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.11s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1720/tcp filtered H.323/Q.931 9929/tcp open nping-echo done: 1 IP address (1 host up) scanned in 9.92 seconds CIT 480: Securing Computer Systems Slide #4

Scanning Techniques 1. TCP connect() scan 2. TCP SYN scan 3. TCP FIN scan 4. TCP Xmas scan 5. TCP Null scan 6. TCP ACK scan 7. Fragmentation Scan 8. FTP bounce scan 9. Idle Scan 10. UDP scan CIT 480: Securing Computer Systems Slide #5

TCP connect() scan Use connect() system call on each port, following normal TCP connection protocol (3-way handshake). connect() will succeed if port is listening. Advantages: fast, requires no privileges Disadvantages: easily detectable and blockable. CIT 480: Securing Computer Systems Slide #6

TCP SYN Scan Send SYN packet and wait for response SYN+ACK Port is open Send RST to tear down connection RST Port is closed Advantage: less likely to be logged or blocked Disadvantage: requires root privilege CIT 480: Securing Computer Systems Slide #7

TCP FIN scan Send TCP FIN packet and wait for response No response Port is open RST Port is closed. Advantages: more stealthy than SYN scan Disadvantages: MS Windows doesn t follow standard (RFC 793) and responds with RST in both cases, requires root privilege. CIT 480: Securing Computer Systems Slide #8

Xmas and Null Scans Similar to FIN scan with different flag settings. Xmas Scan: Sets FIN, URG, and PUSH flags. Null Scan: Turns off all TCP flags. CIT 480: Securing Computer Systems Slide #9

TCP ACK Scan Does not identify open ports Used to determine firewall type Packet filter (identifies responses by ACK bit) Stateful Send TCP ACK packet to specified port RST Port is unfiltered (packet got through) No response or ICMP unreachable Port is filtered CIT 480: Securing Computer Systems Slide #10

Fragmentation Scan Modify TCP stealth scan (SYN, FIN, Xmas, NULL) to use tiny fragmented IP datagrams. Advantages: increases difficulty of scan detection and blocking. Disadvantages: does not work on all Oses, and may crash some firewalls/sniffers. CIT 480: Securing Computer Systems Slide #11

FTP Bounce Scan FTP protocol supports proxy ftp Client requests server send file to another IP, port. If server can open connection, port is open. Advantages: Hide identity of scanning host. Bypass firewalls by using ftp server behind firewall. Disadvantages: Most ftp servers no longer support proxying. Printer ftp servers often do still support. CIT 480: Securing Computer Systems Slide #12

Idle Scan Use intermediate idle host to do scan. Idle host must increment IP ID for each packet. Idle host must not receive traffic from anyone other than attacker. Scan Process 1. Attacker connects to idle host to obtain initial IP ID X. 2. Send SYN packet to port Y of target with spoofed IP of idle host. 3. If port is open, target host will send SYN+ACK to idle host. 4. Idle host with send RST packet with IP ID X+1 to target. 5. Attacker connects with SYN to idle host to obtain updated IP ID. 6. Idle host sends back SYN+ACK to attacker. Note that this action will increment IP ID by 1. If IP ID is X+2, then port Y on target is open. Advantages: hides scanner IP address from target. CIT 480: Securing Computer Systems Slide #13

UDP Scans Send 0-byte UDP packet to each UDP port UDP packet returned Port is open ICMP port unreachable Port is closed Nothing Port listed as open filtered Could be that packet was lost. Could be that server only returns UDP on valid input. Disadvantages: ICMP error rate throttled to a few packets/second (RFC 1812), making UDP scans of all 65535 ports very slow. MS Windows doesn t implement rate limiting. CIT 480: Securing Computer Systems Slide #14

Version Scanning Port scanning reveals which ports are open Guess services on well-known ports. How can we do better? Find what server: vendor and version telnet/netcat to port and check for banner Version scanning CIT 480: Securing Computer Systems Slide #15

Banner Checking with netcat > nc www.nku.edu 80 GET / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Sun, 07 Oct 2007 19:27:08 GMT Server: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7a Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 127 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>400 Bad Request</TITLE> </HEAD><BODY> <H1>Bad Request</H1> Your browser sent a request that this server could not understand.<p> client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /<P> </BODY></HTML> CIT 480: Securing Computer Systems Slide #16

Version Scanning 1. If port is TCP, open connection. 2. Wait for service to identify self with banner. 3. If no identification or port is UDP, 1. Send probe string based on well-known service. 2. Check response against db of known results. 4. If no match, test all probe strings in list. CIT 480: Securing Computer Systems Slide #17

nmap version scan > nmap -sv scanme.nmap.org Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26 17:11 EDT Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.10s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0) 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) 1720/tcp filtered H.323/Q.931 9929/tcp open nping-echo Nping echo Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel CIT 480: Securing Computer Systems Slide #18

Set source port More nmap Tools Bypass firewall by using allowed source port. Use port 80 for TCP, port 53 for UDP scans. Decoys Send additional scans from list of decoys. Spoof IP addresses of decoy hosts. Defender has to investigate decoys + attacker. CIT 480: Securing Computer Systems Slide #19

Defences Prevention Disable unnecessary services. Block ports at firewall. Use a stateful firewall instead of packet filter. Detection Network Intrusion Detection Systems. Port scans often have distinct signatures. IPS can react to scan by blocking IP address. CIT 480: Securing Computer Systems Slide #20

OS Fingerprinting Identify OS by specific features of its TCP/IP network stack implementation. Explore TCP/IP differences between OSes. Build database of OS TCP/IP fingerprints. Send set of specially tailored packets to host Match results to identical fingerprint in db to identify operating system type and version. CIT 480: Securing Computer Systems Slide #21

nmap OS fingerprint examples > sudo nmap -O scanme.nmap.org Device type: general purpose Running: Linux 2.6.X 3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.38-3.0 Uptime guess: 12.224 day TCP Sequence Prediction: Difficulty=202 (Good luck!) IP ID Sequence Generation: All zeros > sudo nmap v -O 192.168.1.1 Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.18-2.4.35 (likely embedded) Uptime guess: 29.789 days TCP Sequence Prediction: Difficulty=196 (Good luck!) IP ID Sequence Generation: All zeros CIT 480: Securing Computer Systems Slide #22

OS Fingerprinting Techniques FIN probe RFC 793 requires no response MS Windows, BSDI, Cisco IOS send RST Bogus flag probe Bit 7 of TCP flags unused Linux <2.0.35 keeps flag set in response TCP ISN sampling Different algorithms for TCP ISNs IP Identification Different algorithms for incrementing IPID CIT 480: Securing Computer Systems Slide #23

Passive Fingerprinting Identify OSes of hosts on network by sniffing packets sent by each host. Use similar characteristics as active techniques: TTL MSS Initial Window Size Don t Fragment bit Tools: p0f CIT 480: Securing Computer Systems Slide #24

Fingerprinting Defences Detection NIDS Blocking Firewalling Some probes can t be blocked. Deception IPpersonality changes Linux TCP/IP stack signature to that of another OS in nmap db. CIT 480: Securing Computer Systems Slide #25

Scanning Tools Summary Information IP addresses of hosts Network topology Open ports Service versions OS Vulnerabilities Tool ping, nmap -sp traceroute, lft nmap -st -su nmap -sv nmap O, p0f Nessus, OpenVAS CIT 480: Securing Computer Systems Slide #26

References 1. Fyodor, NMAP documentation, http://nmap.org/docs.html. 2. Fyodor, Remote OS detection via TCP/IP Stack FingerPrinting, Phrack 54, http://www.insecure.org/nmap/nmap-fingerprintingarticle.html 3. Gordon Fyodor Lyon, Nmap Network Scanning, 2008. 4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. CIT 480: Securing Computer Systems Slide #27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback