Module 19 : Threats in Network What makes a Network Vulnerable? Sharing Unknown path Many points of attack What makes a network vulnerable? Unknown perimeter Anonymity Complexity of system Categories of attack:
There are two categories of attacks: (i) Active v/s passive attack (ii) Insider v/s outsider attack Who attacks Networks? The attacker attacks for different reasons. Challenge Fame Money and Espionage Organized crime Ideology Hactivism and cyberterrorism: Hactivism involves all kinds of activities with hacking techniques applied to a target s network. These activities just disrupt routine operations, do not cause serious damage. Cyberterrorism involves all kind of activities (politically motivated) with hacking operations that cause harm including loss of life or economic brekdown. How attackers gather information? port scan pinging Port Scan: Port Scan can reveal three facts. 1. Which standard ports are up and services are running and answering on the target system. 2. Which operating system is installed on target machine? 3. What applications and their versions are installed? Pinging: Ping is used to check whether host is alive. Ping, sends ICMP echo request, causing the target to respond with an ICMP reply packet.
Port scanning : For rendering services, TCP/IP protocol suit uses 2 primary protocols 1) TCP 2) UDP Every TCP and UDP packet contains information about source port and destination port. Port numbers are given numbers ranging from 0-65535 which requires 16 bits. Port scanning methods 1. TCP Connect(Not stealth-not secret) Uses open system call provided by kernel to connect to specified ports on the target host. Opens TCP connection via TCP 3 way handshake. Client Server SYN SYN/ACK ACK ACK/FIN ACK ACK/RST TCP connect scan finishes the three way handshake, the application listening on the destination port will answer to this request for connection. Application will log the connection attempt. 2. TCP SYN/Half open(stealth):
In this method, Scanner sends SYN packet to the target host. If target host is listening on particular port then responds with SYN+ACK. If target host is alive but not listening on a particular port, RST packet will be sent. In this method, Scanning does not complete the 3 way handshake, that is why this method is stealthy because nothing is logged by target host. 3. FIN In this method, FIN packet is sent to target host. If target host alive and not listening on a particular port, then target host will respond with RST packet. If target host is listening on a particular port, it will not respond. Microsoft host sends RST packet in all cases. Host is identified as Microsoft windows host. 4. XMAS In this method, the host sends out a packet with FIN, URG and PUSH flags set. If target host is listening on a particular port, it sends an RST packet back. If target host not listening on that port, does not respond. 5. NULL In this method, the host sends a TCP packet to the destination host with all the flags turned off in the TCP header. If the target host is listening on a particular port, does not respond. If target host is not listening on a particular ports, sends an RST packet. 6. RPC In this method, the host sends NULL commands, to open ports to determine if they are RPC ports. If Open port is RPC port, then which application is bound to that port is checked and information is obtained. 7. ACK In this method, the host sends ACK packets to target host. Target host does not respond or sends back ICMP unreachable packet, port is filtered by firewall. This method is used to check firewall sets. If target sends back RST packet, port is not filtered by firewall. 8. Window This method detects open, filtered and unfiltered ports on some systems due to reported
anomaly in the window sizes of TCP. 9. UDP This method sends UDP packet. If target host is not listening on the port used for communication, an ICMP port unreachable packet is received. If target host is listening on the port used for communication, the sending host does not receive such packet. Scanning with UDP is unreliable as UDP is not connection oriented. Try nmap Download nmap from https:://nmap.org In the command tab type: 1) nmap ss p 22.25.80.443 192.168.100.0/24 2) nmap - - help 3) Perform ping sweeps nmap sp nmap -sf 216.58.220.4 ******FIN scanning Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-03 21:15 India Standard Time Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 4.03 seconds nmap -st 216.58.220.4 ****TCP connect port scan Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-03 21:17 India Standard Time Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 4.20 seconds nmap -sx 216.58.220.4 ***XMAS scanning Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-03 21:18 India Standard Time Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 4.04 seconds Perform TCP pings nmap PT[port_number] host nmap PT6000 192.168.1.1 if a host responds with a RST packet, nmap considers the host is alive, perform port scan immediately by default nmap sends ACK packet to port 80 Perform TCP-connect port scans nmap st 10.0.0.1 Perform SYN scanning nmap ss 192.168.1.150 Perform FIN scan nmap sf 192.168.1.100 XMAS scanning nmap sx 192.168.1.1 NULL scanning nmap sn 192.168.1.100 RPC scanning nmap sr 10.0.0.10 IP protocol scanning nmap so 192.168.1.1 UDP Port scanning nmap su 192.168.1.100 Countermeasure:
1. Block ICMP Configure firewall to drop incoming echo requests and outgoing ICMP echo replies. 2. Prevent TCP ping scans Use stateful firewall to protect network. Configure firewall to drop all ACK packets if those packets do not belong to the TCP connection established already. 3. Defend against port scan Configure firewall to drop packets destined for closed ports. Most firewalls and IDSs have the ability to detect port scans. Use stateful firewall. Threats in Transit:.