Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

Similar presentations


Presentation on theme: "IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example."— Presentation transcript:

1 IP Network Scanning

2 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example Tool nmap nmap Scanning types Scanning types Host discovery Host discovery port scanning port scanning Version detection Version detection OS detection OS detection

3 3 What is Scanning? Method to gather information regarding the devices running on the network Method to gather information regarding the devices running on the network Typically to discover services or servers on a network Typically to discover services or servers on a network Which hosts are up? Which hosts are up? Which services are offering? Which services are offering? Do not confuse with “ host vulnerability scanner ” which further explore a computer by testing for common vulnerabilities Do not confuse with “ host vulnerability scanner ” which further explore a computer by testing for common vulnerabilities (nessus, SAINT)

4 4 Why Scanning? Network Security assessment Network Security assessment Evaluation and Auditing the security Evaluation and Auditing the security Firewall Penetration Test (Policy auditing) Firewall Penetration Test (Policy auditing) IDS proof/evaluation IDS proof/evaluation Identifying unexpected new servers Identifying unexpected new servers Identifying open ports for Identifying open ports for proactively protect the network (Network and security admin) proactively protect the network (Network and security admin) attacking it (Hackers) attacking it (Hackers)

5 5 nmap A well known and free security scanner written by Fyodor (http://insecure.org/nmap/) A well known and free security scanner written by Fyodor (http://insecure.org/nmap/)http://insecure.org/nmap/ (http://www.phrack.org/issues.html?issue=51 First released Sept 1, 1997 in Phrack 51 “The Art of Port Scanning” (http://www.phrack.org/issues.html?issue=51 Many updates since then: OS Detection (http://www.phrack.org/issues.html?issue=54&id=9#article)http://www.phrack.org/issues.html?issue=54&id=9#article Version scanning ARP Scanning Version 5.00 as of this doc Version 5.00 as of this doc Usage: Usage: nmap [scan types] [options] nmap [scan types] [options]

6 6 Why nmap An excellent tool An excellent tool Long history of development and support Long history of development and support Continuous development and improvements Continuous development and improvements “Industry Standard” port scanner “Industry Standard” port scanner

7 7 nmap features Host Discovery: Which host is alive? Host Discovery: Which host is alive? Identifying computers on a network, for example listing the computers which respond to pings (Ping Sweeps) Identifying computers on a network, for example listing the computers which respond to pings (Ping Sweeps) Port Scanning : What services are available? Port Scanning : What services are available? Enumerating the open ports on one or more target computers Enumerating the open ports on one or more target computers Service and Version Detection : Which version is running? Service and Version Detection : Which version is running? Determine the application name and version number Determine the application name and version number OS Detection: What platforms are served? OS Detection: What platforms are served? Remotely determining the OS and some hardware characteristics of network devices Remotely determining the OS and some hardware characteristics of network devices

8 8 Host Discovery Querying multiple hosts using this method is referred to as ping sweeps Querying multiple hosts using this method is referred to as ping sweeps The most basic step in mapping out a network. The most basic step in mapping out a network. Several Sweeps technique Several Sweeps technique ICMP Sweeps ICMP Sweeps Broadcast ICMP Broadcast ICMP NON Echo ICMP NON Echo ICMP TCP sweep TCP sweep UDP sweep UDP sweep

9 9 Host Discovery : ICMP Sweeps Technique Technique sending an ICMP ECHO request (ICMP type 8) sending an ICMP ECHO request (ICMP type 8) If an ICMP ECHO reply (ICMP type 0) is received : target is alive; If an ICMP ECHO reply (ICMP type 0) is received : target is alive; No response: target is down No response: target is down Pros & Cons Pros & Cons easy to implement easy to implement fairly slow, easy to be blocked fairly slow, easy to be blocked Scanner Target ICMP ECHO request ICMO ECHO reply Scanner Target a host is alive a host is down/filtered ICMP ECHO request No response

10 10 Host Discovery : Broadcast ICMP Sending ICMP ECHO request to the network and/or broadcast addresses Sending ICMP ECHO request to the network and/or broadcast addresses Windows ignored this Windows ignored this Most routers blocked this Most routers blocked this

11 11 Host Discovery : Non-ECHO ICMP ICMP type 13 messages (TIMESTAMP), ICMP type 13 messages (TIMESTAMP), Query Current Time Query Current Time ICMP type 17 messages (ADDRESS MASK REQUEST) ICMP type 17 messages (ADDRESS MASK REQUEST) diskless systems to obtain its subnet mask at bootstrap time (RFC 792) diskless systems to obtain its subnet mask at bootstrap time (RFC 792)

12 12 Host Discovery : TCP Sweeps Sending TCP ACK or TCK SYN packets Sending TCP ACK or TCK SYN packets The port number can be selected to avoid blocking by firewall The port number can be selected to avoid blocking by firewall Usually a good pick would be 21 / 22 / 23 / 25 / 80 Usually a good pick would be 21 / 22 / 23 / 25 / 80 But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable. But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.

13 13 Host Discovery : UDP Sweeps Relies on the ICMP PORT UNREACHABLE Relies on the ICMP PORT UNREACHABLE Assume the port is opened if no ICMP PORT UNREACHABLE message is received after sending a UDP datagram Assume the port is opened if no ICMP PORT UNREACHABLE message is received after sending a UDP datagram Cons: Cons: Routers can drop UDP packets as they cross the Internet Routers can drop UDP packets as they cross the Internet Many UDP services do not respond when correctly probed Many UDP services do not respond when correctly probed Firewalls are usually configured to drop UDP packets (except for DNS) Firewalls are usually configured to drop UDP packets (except for DNS) UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message

14 14 nmap Host Discovery summary sL: List Scan - simply list targets to scan sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO [protocol list]: IP Protocol Ping -PO [protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers : Specify custom DNS servers --dns-servers : Specify custom DNS servers --system-dns: Use OS's DNS resolver --system-dns: Use OS's DNS resolver -sU: UDP Scan -sU: UDP Scan

15 15 Port Scanning To determine what services are running or in a LISTENING To determine what services are running or in a LISTENING Some well known types Some well known types TCP Connect Scan TCP Connect Scan TCP SYN scan TCP SYN scan Stealth scan Stealth scan FTP bounce scan FTP bounce scan

16 16 Port Scanning : TCP Connect Scan Use basic TCP connection establishment mechanism; complete 3-ways handshake Use basic TCP connection establishment mechanism; complete 3-ways handshake Easily to detect by inspecting the system log Easily to detect by inspecting the system log Scanner Target SYN SYN/ACK ACK Scanner Target SYN RST/ACK a port is opened a port is closed

17 17 Port Scanning : TCP SYN scan Do not establish a complete connection (Half Open scanning) Do not establish a complete connection (Half Open scanning) send a SYN packet and wait for a response send a SYN packet and wait for a response If an SYN/ACK is received=> the port is LISTENING If an SYN/ACK is received=> the port is LISTENING immediately tear down the connection by sending a RESET immediately tear down the connection by sending a RESET If an RST/ACK is received =>a non-LISTENING port. If an RST/ACK is received =>a non-LISTENING port. Scanner Target SYN SYN/ACK Scanner Target SYN RST/ACK a port is closed a port is opened RST

18 18 Port Scanning : Stealth Scan To gather information about target sites while avoiding detection To gather information about target sites while avoiding detection Try to hide themselves among normal network traffic Try to hide themselves among normal network traffic Not to be logged by logging mechanism (stealth) Not to be logged by logging mechanism (stealth) Techniques Techniques Flag Probe packets (Also called “ Inverse mapping ” ) Flag Probe packets (Also called “ Inverse mapping ” ) Response is sent back only by closed port Response is sent back only by closed port By determining what services do not exist, an intruder can infer what service do exist By determining what services do not exist, an intruder can infer what service do exist Slow scans rate Slow scans rate difficult to detect =>need long history log difficult to detect =>need long history log CERT reported this technique in CERT® Incident Note IN

19 19 Port Scanning : Stealth Mapping RFC793: to handle wrong state packets RFC793: to handle wrong state packets closed ports : reply with a RESET packet to wrong state packets closed ports : reply with a RESET packet to wrong state packets opened ports : ignore any packet in question opened ports : ignore any packet in question Technique Technique A RST scan A RST scan A FIN probe with the FIN TCP flag set A FIN probe with the FIN TCP flag set An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set A NULL probe with no TCP flags set A NULL probe with no TCP flags set Scanner Target Probe packet No response Scanner Target RST/ACK a port is closed a port is opened Probe packet

20 20 Port Scanning : FTP Bounce scanning Connects to an FTP server, and establishes a control communication connection, ask the FTP server to initiate an active server data transfer process Connects to an FTP server, and establishes a control communication connection, ask the FTP server to initiate an active server data transfer process Rather slow Rather slow Some FTP servers disable the “ Proxy ” feature, but there are still many who do not Some FTP servers disable the “ Proxy ” feature, but there are still many who do not PORT 10,0,0,5,0,22 ( ) ( ) TCP SYN RST 425 Cannot build data connection Scanner FTP Target

21 21 Port Scanning with nmap SCAN TECHNIQUES: SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sN/sF/sX: TCP Null, FIN, and Xmas scans -sN/sF/sX: TCP Null, FIN, and Xmas scans -b : FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: PORT SPECIFICATION AND SCAN ORDER: -p : Only scan specified ports -p : Only scan specified ports Ex: -p22; -p ; -p U:53,111,137,T:21-25,80,139,8080 Ex: -p22; -p ; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast mode - Scan fewer ports than the default scan -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize -r: Scan ports consecutively - don't randomize --top-ports : Scan most common ports --top-ports : Scan most common ports --port-ratio : Scan ports more common than --port-ratio : Scan ports more common than

22 22 Services and Versions Detection The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses

23 23 Operating System Detection Banner, DNS HINFO and … Banner, DNS HINFO and … TCP/IP fingerprinting (IP stack implementation will response differently) TCP/IP fingerprinting (IP stack implementation will response differently) FIN probe, Bogus Flag probe FIN probe, Bogus Flag probe TCP initial sequence number sampling, TCP initial window, ACK value TCP initial sequence number sampling, TCP initial window, ACK value ICMP error quenching, message quoting, ICMP echo integrity ICMP error quenching, message quoting, ICMP echo integrity IP: DF, TOS, Fragmentation IP: DF, TOS, Fragmentation

24 24 OS Detection : Examples ACK : sending FIN|PSH|URG to a closed port ACK : sending FIN|PSH|URG to a closed port most OS : ACK with the same sequence number most OS : ACK with the same sequence number Windows: ACK with sequence number+1 Windows: ACK with sequence number+1 Type of Service: Probing with an ICMP_PORT_UNREACHABLE message Type of Service: Probing with an ICMP_PORT_UNREACHABLE message most OS : TOS = 0 most OS : TOS = 0 Linux : TOS= 0xC0 Linux : TOS= 0xC0

25 25 Version and OS Detection with nmap SERVICE/VERSION DETECTION: SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info -sV: Probe open ports to determine service/version info --version-intensity : Set from 0 (light) to 9 (try all probes) --version-intensity : Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) --version-trace: Show detailed version scan activity (for debugging) OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively

26 26 Port Scanning Detection For Administrators to detect scanning For Administrators to detect scanning Logs suspicious packets Logs suspicious packets Identifies connections not properly terminated Identifies connections not properly terminated Records ports usage Records ports usage

27 27 Port Scanning Detection For hacker to dodge from detection For hacker to dodge from detection Randomize the sequence of ports to prevent detection Randomize the sequence of ports to prevent detection Slow scan: exceed the site detection threshold in IDS, 2 packets/day/site! Slow scan: exceed the site detection threshold in IDS, 2 packets/day/site! Decoy: spoofed address in attack Decoy: spoofed address in attack Coordinated Scans: multiple scanners probe the same host or network Coordinated Scans: multiple scanners probe the same host or network


Download ppt "IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example."

Similar presentations


Ads by Google