What Can We Scan For Modems (and other telephone devices) Live Hosts TCP ports UDP ports Promiscuous NICs
Modems Repeatedly dial phone numbers looking for a modem to answer or other things War Dialers – used to find modems ToneLoc – 1994 by Minor Threat & Mucho Maas –THC-Scan 2.0 – VanHouser, releaces by Hackers Choice thc.inferno.tusclum.edu Win9x, NT, W2000 100 lines/hour TBA – LOpht (www.Lopht.com) –War dialing on a PALM Demon Dialers – once a modem is found repeatedly dial it and guess passwords Other things Free phone calls – if the phone answers and gives a dial tone you have dialed into a number the will let you dial another number, some companies do this so that roaming employees can dial into the company or into a company owned 800 number
Live Hosts Try pinging (ICMP Echo request) all hosts on a particular subnet to see who replies No reply indicates host is not live Incoming ICMP messages are blocked It’s a good idea to block incoming ICMP messages at the firewall If no reply a hacker would try connecting to a commonly open port (TCP port 80) or sending a UDP packet to a commonly open port. In java (which doesn’t do ICMP) send a ping using JNI to execute the ping command as an OS command line command.
Mapping your network Once the live hosts are known, a map of your network can be arrived at by determining how the hosts are connected together traceroute (unix/linux) / tracert (w2000) Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp. C:\users>tracert mail.binghamton.edu Tracing route to mail.binghamton.edu [220.127.116.11] over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 18.104.22.168 2 <10 ms <10 ms <10 ms 22.214.171.124 3 <10 ms <10 ms <10 ms bingnet2.cc.binghamton.edu [126.96.36.199] Trace complete.
Mapping (more) By doing repetitive traceroutes to the hosts discovered in the host scan the network topology can be discovered. Another way to do this is by using a mapping program like Cheops (www.marko.net/cheops> runs on Linux and automates the process of inventorying a network does operating system identification by using TCP Stack Fingerprinting
Port Scanning Once and attacker knows the topology of your network the tedious task of identifying open ports and services TCP and UDP scans are fine if you are scanning your own network looking for vulnerabilities but are to easily detectable for a hacker Nmap (www.insecure.org/Nmap) most versions of Unix ported to W/NT by eEye (www.eeye.com/html/Databases/Software/Nmapnt.html) does many types of scans
Port Scanning (more) TCP Connect - completes 3-way handshake TCP SYN - sends only initial SYN and waits for SYN-ACK TCP FIN - send TCP FIN to each port, reset indicates port is closed; violates the protocol TCP Xmas Tree - Sends packet with FIN, URG, PUSH set; reset indicates port is closed, no resp. may mean port is open. This actually violates the protocol; doesn’t work on Windows machine as MS didn’t follow the RFC NULL - send packet with no code bits set, reset indicates port closed; TCP ACK - Send a packet with ACK bit set, helps determine a packet filter’s rules Window - similar to ACK scan but focuses on TCP window size to determine if ports are open or closed
Port Scanning (more) FTP Bounce - Bounces a TCP scan off of an FTP server to obscure the originator of the scan RPC Scanning - Scans for Remote Procedure Call (RPC) services on the target machine, send an RPC null command to determine if an RPC program is listening
Windows Specific Services NetBIOS (TCP Ports 137, 138, 139) – used for Windows networking to connect clients to file and print servers. Should never be allowed through the Firewall except through an encrypted tunnel (as in a VPN) RPC Locator (TCP Port 135) – used by Windows networking to locate network services that use the RPC protocol. Should never be allowed through the Firewall. Terminal Services (TCP Port 3389) – gives the connecting complete control over the host machine. Should never be allowed through the Firewall except through an encrypted tunnel (as in a VPN)
Standard UNIX Services Chargen (TCP and/or UDP port 19) Daytime (TCP and/or UDP Port 13) Discard (TCP and/or UDP Port 9) Echo (TCP and/or UDP Port 7) Finger (TCP Port 79) NFS (TCP and/or UDP Port 2049) Quote (UDP Port 17) RPC (UDP Port 111) RSH (TCP Port 514) SSH (TCP Port 22)
Platform Neutral Services Telnet (TCP Port 23) TFTP (UDP Port 69) Bootp (UDP Port 67) DHCP (UDP Port 68) LDAP (TCP and/or UDP Port 389) SNMP (UDP Port 161) VNC (TCP Ports 5800+, 5900+) HTTP (TCP Port 80) HTTPS (TCP Port 443)
UDP Scans Because UDP is a much simpler protocol than TCP is it is inherently less reliable for scanning A UDP packet is sent to each UDP port If an ICMP “Port Unreachable” message is received then interpret the port as being closed Otherwise assume the port is open False positives are very common
TCP Stack Fingerprinting The TCP RFC defines how TCP should respond under normal conditions (no protocol violations) but not how to act in response to protocol violation If you spend the time attempting a number of protocol violation and record the responses they will always be the same for specific operating systems/versions These responses can be treated as fingerprints and allow a hacker to determine what OS is being addressed. Nmap maintains a rather complete database of known operating system fingerprints and can pretty reliably identify most major operating systems
Defenses Against Port Scanning Harden your systems Make sure all OS patches are installed Close all ports not needed Delete all programs associated with closed ports If you are comfortable managing your server via a command line interface remember to disable the GUI interface Don’t forget to delete the X Windows software Remove all unneeded software from your server A production web server shouldn’t need software development software, so remove all of the compilers Scan your systems before the hackers do, find your vulnerabilities before they do.
Defenses (more) Use stateful packet filtering so that not only the current packet is taken into consideration Intruders can scan right past a standard packet filter Use a proxy based firewall Gives application layer protection Requires complete connections SYN Scans and ACK Scans can’t get through
Determining Firewall Rules Firewalk www.packetfactory.net/Projects/firewalk-final.html Allows you to determine what packets are allowed through a firewall Nmap allows you to check what is happening at the end-point machines, Firewalk allows you to send packets through a packet filtering device to determine what it is set up to pass Similar to traceroute, works off of the TTL field in the IP header
Review List of Live Hosts – Ping and Cheops Network Topology – traceroute and Cheops List of Open Ports – Nmap Operating Systems on Live Hosts – Nmap Ports Open Through Packet Filters - Firewalk
Vulnerability Scanning Connect to a host and automatically detect if a vulnerability exists Common configuration errors Default configuration weaknesses Well known system vulnerabilities
Vulnerability Scanning Tools Vulnerability Database User Configuration Tool Scanning Engine Knowledge base of current active scan Results repository and Report Generator Vulnerability Database User Configuration Tool Scanning Engine Knowledge Base of Active Scan Results Repository And Reports Target
Bunch of Vulnerability Scanners Free SARA – www-arc.com/sara SAINT – www.wwdsi.com/saintwww.wwdsi.com/saint VLAD – razor.bindview.com/tools Nessus – www.nessus.org Commercial CyberCop Scanner – www.mcafeeb2b.com/services/cybercop-asap.asp ISS Internet Scanner – www.iss.netwww.iss.net eEye Retina Scanner – www.eeye.comwww.eeye.com Qualys’ QualysGuard – subscription based – www.qualys.comwww.qualys.com Vigilante SecureScan – subscription based – www.vigilante.comwww.vigilante.com
Wi-Fi Wardriving Name comes from movie War Games Similar in concept to Wardialing Also Warwalking and Warbiking Drive around and discover wireless hot spots Publish where located (GPS coordinates) : www.wigle.net Legality US : Not clearly defined –New Hampshire – working on bill to clarify responsibility to secure wireless networks UK : "use of a computer for a purpose for which one does not have permission" is against the law Tools Netstumbler –Windows active mode tool that polls looking for wi-fi networks Kismet –Most platforms – passive mode tool; does network detection, packet sniffing and IDS