A quick theorical introduction to network scanning. 23rd November 2005

Similar documents
CIT 480: Securing Computer Systems

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Module 19 : Threats in Network What makes a Network Vulnerable?

Introduction to TCP/IP networking

EE 610 Part 2: Encapsulation and network utilities

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

TCP /IP Fundamentals Mr. Cantu

CSCI-GA Operating Systems. Networking. Hubertus Franke

User Datagram Protocol

Transport: How Applications Communicate

ECE4110 Internetwork Programming. Introduction and Overview

Attack Prevention Technology White Paper

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Chapter 8 roadmap. Network Security

Packet Header Formats

Transport Over IP. CSCI 690 Michael Hutt New York Institute of Technology

Internet Control Message Protocol (ICMP)

CSC 574 Computer and Network Security. TCP/IP Security

Configuring attack detection and prevention 1

ICS 451: Today's plan

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Basics of executing a penetration test

K2289: Using advanced tcpdump filters

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

CS 356: Computer Network Architectures. Lecture 10: IP Fragmentation, ARP, and ICMP. Xiaowei Yang

Hands-On Ethical Hacking and Network Defense

Configuring attack detection and prevention 1

TCP/IP Transport Layer Protocols, TCP and UDP

Lecture 9: Internetworking

CHAPTER-2 IP CONCEPTS

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

FOCUS on Intrusion Detection: Intrusion Detection Level Analysis of Nmap and Queso Page 1 of 6

A Study on Intrusion Detection Techniques in a TCP/IP Environment

Network Security: Scan

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

inside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN

Network Intrusion Detection Systems. Beyond packet filtering

Redesde Computadores(RCOMP)

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Analysis of TCP Segment Header Based Attack Using Proposed Model

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Interconnecting Networks with TCP/IP

Lecture 11: IP routing, IP protocols

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Computer Security and Privacy

ELEC5616 COMPUTER & NETWORK SECURITY

Configuring Flood Protection

Transport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol

ECE 358 Project 3 Encapsulation and Network Utilities

The Internetworking Problem. Internetworking. A Translation-based Solution

Layered Networking and Port Scanning

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Computer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key

Vorlesung Kommunikationsnetze

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values,

Just enough TCP/IP. Protocol Overview. Connection Types in TCP/IP. Control Mechanisms. Borrowed from my ITS475/575 class the ITL

Network Technology 1 5th - Transport Protocol. Mario Lombardo -

HP High-End Firewalls

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

TCP/IP Protocol Suite

TCP/IP Networking. Part 4: Network and Transport Layer Protocols

Configuring IP Services

TCP: Transmission Control Protocol RFC 793,1122,1223. Prof. Lin Weiguo Copyleft 2009~2017, School of Computing, CUC

Operational Security Capabilities for IP Network Infrastructure

TCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems

! ' ,-. +) +))+, /+*, 2 01/)*,, 01/)*, + 01/+*, ) 054 +) +++++))+, ) 05,-. /,*+), 01/-*+) + 01/.*+)

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Dongsoo S. Kim Electrical and Computer Engineering Indiana U. Purdue U. Indianapolis

CPSC156a: The Internet Co-Evolution of Technology and Society. Lecture 4: September 16, 2003 Internet Layers and the Web

Building an IPS solution for inline usage during Red Teaming

Creating an IP Access List to Filter IP Options, TCP Flags, or Noncontiguous Ports

Introduction to Internet. Ass. Prof. J.Y. Tigli University of Nice Sophia Antipolis

network security s642 computer security adam everspaugh

TSIN02 - Internetworking

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports

COMMON LOWER-LAYER PROTOCOLS

ETSF05/ETSF10 Internet Protocols Transport Layer Protocols

Introduction to Internetworking

n Understand EC-Council s scanning methodology n Describe scan types and the objectives of scanning

Network and Security: Introduction

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Problem Set 7 Due: Start of Class, November 2

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

CSEP 561 Internetworking. David Wetherall

HP High-End Firewalls

SecBlade Firewall Cards Attack Protection Configuration Example

Lab - Using Wireshark to Examine TCP and UDP Captures

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

Network Security. Network Vulnerabilities

EE 122: Transport Protocols. Kevin Lai October 16, 2002

Software Engineering 4C03 Answer Key

Transcription:

A quick theorical introduction to network ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) http://www.csrrt.org/ 23rd November 2005 IP protocol ACK

Network is not exact science When an information system is able to interact over the network : The system is always giving some information about himself The system may be used to act as a network tool Attackers are always looking for such kind of services Network is playing an important role in the process of network discovery for end-user but also for the potential attackers. IP protocol ACK

IP protocol How to know the IP protocol supported by a system. Not only limited to UDP or TCP. The approach used is quite simple : - We send a raw IP packet with the protocol defined (RFC3232) and wait for the reply : if received an ICMP protocol unreachable, the protocol is not available on the stack if we got nothing, the procotol is available or ICMP packets are filtered by a firewall IP protocol ACK e.g. : Useful for testing the protocol available on a router. Is IGMP available?

Nifty Internet Control Message Protocol : ICMP type 8 - echo request ICMP type 13 - time stamp request ICMP type 15 - information request ICMP type 17 - netmask request ICMP can be used as very basic discovery tool. Not always filtered as some of them are required by RFCs and/or for proper operation. IP protocol ACK

Connect Scan A connect scan is a scan using the vallina connect() approach. The full TCP 3-way handshake is done : - We send a SYN to the target host and port: We wait for the SYN-ACK from the target host if yes, we ll send an ACK to the target. This means that port is open. If we got a RST, the target host is not listening on that port. The connect() scan is very slow, very visible (e.g. TCP Wrappers, netstat) due to the full handshake (ESTABLISHED state). IP protocol ACK

A half-open scan is where the full TCP handshake is not done : - We send a SYN to the target host and port : We wait for the SYN-ACK from the target host if yes, we ll send directly a RST to the target. This means that port is open but we don t continue the handshake. If we got a RST, the target host is not listening on that port. The half-open scan is less visible than the connect() scan. This scan is always faster than the connect() scan too. The main issue is the use of the SYN flag... IP protocol ACK

By default a TCP stack must respond (RFC793) to non-syn flag on a closed port with a RST. For open port, the datagram must be discarded. But various systems are still sending RST on open ports too... - We send an FIN or FIN/URG/PUSH or no flag to the target host and port : We wait for the RST from the target host if yes, this means that port is closed. If we got nothing, this is probably an open port. Results are not always reliable but can be used in conjunction with other scan. The main advantage is not to use SYN flag (e.g. packet filter only checking for SYN). IP protocol ACK

ACK An ACK scan is often used to check the kind of packet filter between you and the target host. - We send an ACK (random ack/seq) to the target host and port : We wait for the RST from the target host Variation of the TTL and Window field is also interesting. if yes, this means that port is unfiltered. If we got nothing, this is probably a filtered port. IP protocol ACK

If you are an attacker, it s always better to find ways to somewhat hide your various activities : using FTP relay (old ftp server) - RFC959 using open proxies (e.g. CONNECT method) Idle scan approach Using a zombie host to receive your request Cover channel using IPID (IP identification) to receive the reply on open port from the zombie IP protocol ACK

Signatures are built on various TCP/IP parameters : TTL (max. ttl is different following the OS/version) Window Size DF bit set (some OS are sending it or not) ToS ECN, Selective Acknowledgement,... You can build database of remote services including Operating System version, revision...(check tools presentation) IP protocol ACK

Is there any network in the honeynet network capture? If yes, what are the methods used to scan the honeynet? Can you make a passive on the capture itself? If yes, how will you proceed? What are the open ports (only with the capture) on the honeynet target host? IP protocol ACK

Thanks for listening. http://www.csrrt.org.lu/ adulau@foo.be IP protocol ACK

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback