Network Security: Scan

Similar documents
Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

CIT 480: Securing Computer Systems

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

inside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN

A quick theorical introduction to network scanning. 23rd November 2005

Interconnecting Networks with TCP/IP

Configuring attack detection and prevention 1

Hands-On Ethical Hacking and Network Defense

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Module 19 : Threats in Network What makes a Network Vulnerable?

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

network security s642 computer security adam everspaugh

TCP /IP Fundamentals Mr. Cantu

Basics of executing a penetration test

Packet Header Formats

Computer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key

Preview from Notesale.co.uk Page 3 of 36

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

K2289: Using advanced tcpdump filters

Configuring attack detection and prevention 1

Software Engineering 4C03 Answer Key

Lab 6.7.1: Ping and Traceroute

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

EE 610 Part 2: Encapsulation and network utilities

ECE 358 Project 3 Encapsulation and Network Utilities

Ethical Hacking Basics Course

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

FOCUS on Intrusion Detection: Intrusion Detection Level Analysis of Nmap and Queso Page 1 of 6

Practical Training in. IT-Security. Information gathering. - Experiment manual - Tasks. B.Sc. BG 24 M.Sc. AI MN 1 M.Sc. EB 10

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Layered Networking and Port Scanning

CIS 551 / TCOM 401 Computer and Network Security

IK2206 Internet Security and Privacy Firewall & IP Tables

Experiment 2: Wireshark as a Network Protocol Analyzer

What this talk is about?

Network and Security: Introduction

Introduction to Network. Topics

Building an IPS solution for inline usage during Red Teaming

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

Network Address Translation

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

Paper solution Subject: Computer Networks (TE Computer pattern) Marks : 30 Date: 5/2/2015

IpMorph : Unification of OS fingerprinting defeating or, how to defeat common OSFP tools.

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Change Management: DYNAMIC NETWORK MAPPING. LinuxWorld San Francisco Security Track. Presented by Joshua D. Abraham.

Chapter 8 roadmap. Network Security

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Introduction to Internetworking

ch02 True/False Indicate whether the statement is true or false.

Network+ Guide to Networks 6 th Edition. Chapter 4 Introduction to TCP/IP Protocols

Understand ping sweep techniques. Understand nmap command switches. List TCP communication flag types. Understand war-dialing techniques

CSC 574 Computer and Network Security. TCP/IP Security

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Sirindhorn International Institute of Technology Thammasat University

Certified Vulnerability Assessor

Lab - Using Wireshark to Examine TCP and UDP Captures

Analysis of TCP Segment Header Based Attack Using Proposed Model

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Configuring Commonly Used IP ACLs

ICS 351: Networking Protocols

Honeyd A OS Fingerprinting Artifice

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Dongsoo S. Kim Electrical and Computer Engineering Indiana U. Purdue U. Indianapolis

8.9.2 Lab: Configure an Ethernet NIC to use DHCP in Windows Vista

Nsauditor White Paper. Abstract

Wireshark: Are You Under Attack? Kyle Feuz School of Computing

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

9. Security. Safeguard Engine. Safeguard Engine Settings

Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities

On Assessing the Impact of Ports Scanning on the Target Infrastructure

ECE4110 Internetwork Programming. Introduction and Overview

Computer and Network Security

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

ECE 650 Systems Programming & Engineering. Spring 2018

Handbook. Step by step practical hacking training

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Revolutionizing Active Operating System Fingerprinting The Present & Future of Xprobe2. Ofir Arkin

Ofir Arkin CTO

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Lab Configure Basic AP security through GUI

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

University of Toronto Faculty of Applied Science and Engineering. Final Exam, December ECE 461: Internetworking Examiner: J.

Computer Security and Privacy

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Your Name: Your student ID number:

Stateless Firewall Implementation

The Internet Protocol (IP)

tcp-map through type echo Commands

Scanning. Scanning. Goals Useful Tools. The Basics NMAP. Scanning 1 / 34

Curso: Ethical Hacking and Countermeasures

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Internet Protocol (IP) Lecture 2: Prof. Shervin Shirmohammadi CEG

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Chapter 09 Network Protocols

Exam Questions CEH-001

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Linux Networking: tcp. TCP context and interfaces

Host Identity Sources

Transcription:

Network Security: Scan Seungwon Shin, KAIST some slides from Dr. Brett Tjaden

More about Scan

Scan Techniques Network scanning where is a target? which service is available on a target? can I have more information? Vulnerability scanning which vulnerable services are running on a target?

ICMP Scan ICMP protocol used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached several types type 8 type 13 echo request ping packet type 15 timestamp request from nmap.org information request RARP, BOOTP (rarely used) type 17 subnet address mask request find the subnet mask used by the target host

ICMP Scan Example Nmap send ping packet not so effective ICMPScan a bulk scanner that sends type 8, 13, 15, and 17 messages example xprobe2 icmpscan -c -t 500 -r 1 192.168.1.0/24 c: enable promiscuous mode t: timeout for probe response (ms) r: retries for each probe can do OS fingerprinting with ICMP example xprobe2 -v 192,168.0.174

xprobe2 example

How xprobe2 works How to fingerprint use OS specific implementation of TCP/IP stack 14:42:36.105884 IP (tos 0x6,ECT(0), ttl 64, id 19475, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.4 > 192.168.0.101: ICMP echo request, id 19639, seq 1, length 64 14:42:36.107486 IP (tos 0x0, ttl 128, id 59791, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.101 > 192.168.0.4: ICMP echo reply, id 19639, seq 1, length 64 Linux Windows XP SP2 192.168.0.4 192.168.0.101 14:45:59.273678 IP (tos 0x6,ECT(0), ttl 64, id 49892, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.4 > 192.168.0.100: ICMP echo request, id 22065, seq 1, length 64 14:45:59.275212 IP (tos 0x6,ECT(0), ttl 64, id 56932, offset 0, flags [none], proto: ICMP (1), length: 84) 192.168.0.100 > 192.168.0.4: ICMP echo reply, id 22065, seq 1, length 64 Linux 192.168.0.100

TCP Scan usual connect( ) call scan half-open TCP SYN scan kind of stealthy inverse TCP flag scan ACK flag scan TCP fragmentation scan with the help of a third-party FTP bounce

Inverse TCP flag F/W and IDS will detect (or record) a SYN packet sent to some sensitive network ports e.g., port 80, 443, and etc An attacker can evade by sending FIN probe packet (FIN flag) XMAS probe (FIN, URG, and PUSH flag) NULL probe (no flags) attacker TCP FIN packet to 80 target if open: no response if closed: RST/ACK RFC 793: out of state packet to an open port - discard

FTP Bounce Scan Why do we need this? hide an attacker 1. set up a connection 2. issue a PORT command 3. issue a LIST command attacker FTP server 6. deliver the results 4. create a connection to the target 5. response from the target target

FTP Bounce Scan PORT 143.248.111.100:23 200 PORT command successful LIST 143.248.111.100:23 150 Opening ASCII mode data connection for the list 226 transfer complete LIST 143.248.111.100:23 425 Can t build data connection: Connection refused 23 open 23 closed

Others Some more useful tools whois dig nslookup web search and much more

Vulnerability Scan Vulnerability scanner an automated tool that scans hosts and networks for known vulnerabilities and weaknesses find which host is vulnerable to what Examples NESSUS now commercial product OpenVAS fork of NESSUS, open source Retina commercial product

Vulnerability Scan How it works Similar to virus scanning software: Contain a database of vulnerability signatures that the tool searches for on a target system Cannot find vulnerabilities not in the database New vulnerabilities are discovered often Vulnerability database must be updated regularly

Vulnerability Scan Find what Network vulnerabilities Host-based (OS) vulnerabilities Misconfigured file permissions Open services Missing patches Vulnerabilities in commonly exploited applications Web, DNS, and mail servers

Vulnerability Scan target Vulnerability Database GUI Scanning Engine Knowledge Base Results target target target target

OpenVAS www.openvas.org

Case Study

Interesting Research Work A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan written by Ang Cui and Salvatore J. Stolfo Columbia University Published in ACSAC 2012 Student Best Paper

Problem Domain and Goal Embedded Devices have been known that they are Insecure and available as a source for new, stealthy botnets Then, how to know if it is true A global scan method can be used in getting some clues

Approach Scan the world Scan the world s largest Residential ISPs Commercial ISPs EDU, GOV etc Scan in United States Asia Europe Identify Embedded Devices cisco-ios web_cisco-web level_15_access web_cisco-web Linksys SPA Configuration web_linksys-spa Linksys PAP2 Configuration web_linksys-pap2 SpeedStream Router Configurator web_speedstream DD-WRT Control Panel web_ddwrt Try the default password root: username_prompt: ['sername:'] username: ['cisco ] askuser: true passstr: ['assword:'] incorrect: [sername, assword] success: ['\$', '\#', '>'] passwords: ['cisco ] devicetype: cisco linesep: ''

Scan Recognizance scan large portions of the internet port 23 (telnet) and 80 (http) Identification try to connect all telnet and http servers detect their manufacturer and model of the device Verification try to log in with the default password

Result Distribution of vulnerable embedded devices total number: 540,435

Result Distribution of vulnerable embedded devices (types)

Result

Why is this important? Router Exploitation DIK (Da IOS Rootkit, Sebastian Muniz) http://eusecwest.com/esw08/esw08-muniz.pdf Router Transit Vulnerabilities (Felix Linder) http://www.blackhat.com/presentations/bh-usa-09/lindner/bhusa09-lindner-routerexploit- SLIDES.pdf Reliable Cisco IOS Exploit (Felix Linder) http://www.phenoelit-us.org/stuff/fx_phenoelit_25c3_cisco_ios.pdf Router Botnet Network Bluepill http://dronebl.org/blog Keiten Bot Helel Mod 1.0 Ezba Elohim Runs on D-link routers http://packetstormsecurity.nl/irc/kaiten.c

Some Extension When Firmware Modifications Attack: A Case Study of Embedded Exploitation NDSS, 2013 The State of Embedded-Device Security (Spoiler Alert: It's Bad) IEEE S&P Magazine, 2012 Shodan!

Shodan It is a search engine that allows you to look for devices connected to the internet mostly embedded devices webcam, wireless AP, and etc How to provide search results? scanning networks

Shodan

Shodan

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback