2Penetration testingPenetration testing is a method of testing a network’s security by using various tools and techniques common to attackers.The methodology used is similar to that of an attacker:enumerate the network,assess vulnerabilities,research vulnerabilities for known exploits,and then use tools available to penetrate the network.A good penetration test should result in a report that explains the weaknesses found, lists them from most critical to least critical, and provides suggestions for improving the network’s security.
3Network scanEnumerating a network to discover what machines are attached and operating is a useful task for both an intruder and a system administrator.The information gained from a network scan assists in the determination of the actual current layout.Several tools and techniques exist for both the Windows and Linux platforms to perform these tests.Once the devices and their open ports have been identified, a vulnerability scanner can be used.
4The goal of Network scan One of the first tasks a hacker will carry out is to perform a scan of the network for hosts that are running.Once the user knows what hosts are accessible, he or she will then find a means to gather as much information about the hosts as possible.Once an attacker has identified the hosts, ports, and services that are available, he or she will want t identify the operating system that is running on the host.In addition to identifying the operating system, the attacker will want to gain more information about the services that are running on the target computer, such as the type of server and version (for example, Internet Information Services [IIS] version 6 or version 7).This information is contained in the service’s banner.The banner is usually sent after an initial connection is made.This information greatly improves the ability of the attacker to discover vulnerabilities and exploits.
5Utilities for network scan Nmap is a popular scanning utility that is available for download from the Internet at no cost.It is a powerful tool that includes many functions.The Nmap utility can quickly and easily gather information about a network’s hosts, including their availability, their IP addresses, and their names.This is useful information not only for a network administrator, but for a hacker as well, prior to an attack.Popular port scanning programs include: Nmap, Netscan Tools, Superscan and Angry IP Scanner.
6NMAP nmap stands for “network map”. This open-source scanner was developed by Fyodor (see ).Nmap is available for Windows and Linux as a GUI and command-line program.It can do many types of scans and OS identification.nmap is actually more than just a port scanner.In addition to listing the open ports on a network, it also tries to construct an inventory of all the services running in a network.It also tries to detect as to which operating system is running on each machine, etc.
7Why nmap An excellent tool Long history of development and support Continuous development and improvements“Industry Standard” port scanner
8nmap features Host Discovery: Which host is alive? Identifying computers on a network, for example listing the computers which respond to pings (Ping Sweeps)Port Scanning : What services are available?Enumerating the open ports on one or more target computersService and Version Detection : Which version is running?Determine the application name and version numberOS Detection: What platforms are served?Remotely determining the OS and some hardware characteristics of network devices
9Host DiscoveryQuerying multiple hosts using this method is referred to as ping sweepsThe most basic step in mapping out a network.Several Sweeps techniqueICMP SweepsBroadcast ICMPNON Echo ICMPTCP sweepUDP sweep
10Host Discovery : ICMP Sweeps Techniquesending an ICMP ECHO request (ICMP type 8)If an ICMP ECHO reply (ICMP type 0) is received : target is alive;No response: target is downPros & Conseasy to implementfairly slow, easy to be blockedScannerICMP ECHO requestICMO ECHO replyTargeta host is aliveScannerICMP ECHO requestNo responsea host is down/filteredTarget
11Host Discovery : ICMP Sweeps Ping sweepsAlso called an ICMP sweepUsed by attackers to determine the location of a hostAttacker sends a series of ICMP echo request packets in a range of IP addressesPing sweep alone does not cause harmARP ProbesWhy ARP scan? When you use ICMP ping scan, the OS needs to send out ARP request to figure out the MAC addressYou are sending millions of ARP request.
12Host Discovery : Broadcast ICMP Sending ICMP ECHO request to the network and/or broadcast addressesWindows ignored thisMost routers blocked this
13Host Discovery : Non-ECHO ICMP ICMP type 13 messages (TIMESTAMP),Query Current TimeICMP type 17 messages (ADDRESS MASK REQUEST)diskless systems to obtain its subnet mask at bootstrap time (RFC 792)
14Host Discovery : TCP Sweeps Sending TCP ACK or TCK SYN packetsThe port number can be selected to avoid blocking by firewallUsually a good pick would be 21 / 22 / 23 / 25 / 80But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.
15Host Discovery : UDP Sweeps Relies on the ICMP PORT UNREACHABLEAssume the port is opened if no ICMP PORT UNREACHABLE message is received after sending a UDP datagramCons:Routers can drop UDP packets as they cross the InternetMany UDP services do not respond when correctly probedFirewalls are usually configured to drop UDP packets (except for DNS)UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message
16nmap Host Discovery summary sL: List Scan - simply list targets to scan-sP: Ping Scan - go no further than determining if host is online-PN: Treat all hosts as online -- skip host discovery-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes-PO [protocol list]: IP Protocol Ping-n/-R: Never do DNS resolution/Always resolve [default: sometimes]--dns-servers <serv1[,serv2],...>: Specify custom DNS servers--system-dns: Use OS's DNS resolver-sU: UDP Scan
17Introduction to port scanning Ports to a computer are like windows or doors to a housePort scanning attacks are much like a burglar searching all the windows and doors of a house to look for unlocked entry waysIf a window is left unlocked (like a port being “open” or not in use), it may be easy for the intruder to enter the house
18Port statesThe main goal of port scanning is to ﬁnd out which ports are open, which are closed, and which are ﬁltered.Port scanning is about testing the states of ports on a (remote) machine.Open is the most interesting states, which means that there is an application listening on that port waiting for connectionsPort Scanning is one of the most popular among the reconnaissance techniques attackers use.
20OPEN statea given port on your machine is open if you are running a server program on the machine and the port is assigned to the server.An application is actively accepting connections on this port.These are ports that attackers are looking for, as every open port is a potential entry point into the system.Administrators should try to keep the number of open ports to a minimum in order to decrease the risk of a successful attack.Obviously some ports will be open to provide certain services, but these ports should be protected in some way (e.g. a ﬁrewall, TCP wrappers, white lists of hosts thatmay connect).
21Filtered StateThis state means that NMAP is not able to determine whether a port is open or not.what we mean is that the packets passing through that port are subject to the ﬁltering rules of a firewall or router rules.Sometimes the response is an error message or no reply at all.
22Closed stateA closed port is accessible, i.e. it receives and responds to probe packets, but there is no application listening on it.While not directly exploitable for an attack, they may still provide other useful information (e.g. that a host is online, about the operating system a host is running).If a port on a remote host is closed and your computer sends it a SYN packet, the remote host will respond back with a RST packet .
23Review of TCP flags SYN - Initiates a connection ACK - Acknowledges received dataFIN - Closes a connectionRST - Aborts a connection in response to an errorURG-is used to inform a receiving station that certain data within a segment is urgent and should be prioritizedPSH- Used to force data delivery without waiting for buffers to fill.
24Types of Port Scans -Normal TCP Handshake Client SYN ServerClient SYN/ACK ServerClient ACK ServerAfter this, you are ready to send data
25Port Scanning To determine what services are running or in a LISTENING Some well known typesTCP Connect ScanTCP SYN scanStealth scanFTP bounce scan
26Port Scanning : TCP Connect Scan Use basic TCP connection establishment mechanism; complete 3-ways handshakeEasily to detect by inspecting the system logScannerSYNSYN/ACKACKTargeta port is openedScannerSYNRST/ACKTargeta port is closed
27Port Scanning : TCP Connect Scan Completes the three-way handshakeNot stealthy--appears in log filesThree statesClosedOpenFiltered
28Port Scanning : TCP SYN scan Do not establish a complete connection (Half Open scanning)send a SYN packet and wait for a responseIf an SYN/ACK is received=> the port is LISTENINGimmediately tear down the connection by sending a RESETIf an RST/ACK is received =>a non-LISTENING port.ScannerSYNSYN/ACKRSTTargeta port is openedScannerSYNRST/ACKTargeta port is closed
29Port Scanning : TCP SYN scan Client SYN ServerClient SYN/ACK ServerClient RST ServerThe server is ready, but the client decided not to complete the handshake
30Port Scanning : TCP SYN scan Stealthy scan, because session handshakes are never completedThat keeps it out of some log filesThree statesClosedOpenFiltered
31Port Scanning : Stealth Scan To gather information about target sites while avoiding detectionTry to hide themselves among normal network trafficNot to be logged by logging mechanism (stealth)TechniquesFlag Probe packets (Also called “Inverse mapping”)Response is sent back only by closed portBy determining what services do not exist, an intruder can infer what service do existSlow scans ratedifficult to detect =>need long history logCERT reported this technique in CERT® Incident Note IN-98.04
32Port Scanning : Stealth Mapping RFC793: to handle wrong state packetsclosed ports : reply with a RESET packet to wrong state packetsopened ports : ignore any packet in questionTechniqueA RST scanA FIN probe with the FIN TCP flag setAn XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags setA NULL probe with no TCP flags setScannerProbe packetNo responsea port is openedTargetScannerProbe packetRST/ACKa port is closedTarget
33Port Scanning : FTP Bounce scanning Connects to an FTP server, and establishes a control communication connection, ask the FTP server to initiate an active server data transfer processRather slowSome FTP servers disable the “Proxy” feature, but there are still many who do notPORT 10,0,0,5,0,22( )( )TCP SYNRST425 Cannot build data connectionScannerFTPTarget
34How does NMAP work ? NMAP can scan TCP and UDP ports. we are going to restrict ourselves to TCP ports in this lab session.Popular services, such as http, are registered to a well-known port-number and NMAP has a file describing the most common protocols used on the internet.It identify the operating system that is running on the host. by using a technique called stack fingerprinting.Different operating systems implement TCP/IP in slightly different ways.Though subtle, the differentiation of these responses makes it possible to determine the operating system.
35How does NMAP work ?The network traffic that is generated by Nmap can have distinct qualities.These qualities, such as the number of packets sent or the timing between packets, do not resemble the qualities of “normal” traffic. These qualities make up its signature.Nmap can be configured to hide its activity over time, attempting to mask its signature from being easily discovered.
36Guide to Network Defense and Countermeasures, Second Edition
37Different types of port scanning Simple port scanningStrobe port scanningStealth port scanningSYN scanningFIN scanningNull scanning
38Simple port scanningAn attacker searches all ports looking for, and noting, all open portsProsAttacker will see ALL available portsConsTakes a long time to scan all 65,000+ portsCan be detected fairly easily, due to large number of ports being scannedSpecific ports that are found to be open may not be useful to attack
39Strobe port scanningAn attacker selects a certain range of ports to check for open portsProsQuicker than a full scanAlready knows that all searched ports can lead to vulnerable access pointsConsDoes not give entire vulnerability profile of targetIs somewhat easy for target to detect
40Stealth port scanningAn attacker searches only a few random ports at once over a long period of time (usually a day or more). Often jumping between different computers on a network.ProsHard to detect because individual port scans, from the network’s point of view, appear to be accidental communication attemptsConsTakes a long time (usually a day or more)
41FIN scanningAttackers send erroneous packets to ports and listen for a response. If a port is closed, the attacker will receive an error message. However TCP requires that an open port ignores the erroneous packet. Based on the response, the attacker can determine the state of the port.ProsIt is difficult for the target’s computer to recognize this as an attack since the packets being send are random dataConsIf the target sends an error message response, it could get dropped or blocked by a firewall. This will lead the attacker to believe that a closed port is really open since it did not receive a response.
42Null scanning NULL scan All the packet flags are turned off Two results:Closed ports reply with RSTOpen or filtered ports give no response
43Types of Port Scans – (XMAS, FIN) XMAS scanFIN, PSH and URG flags are setWorks like a NULL scan – a closed port responds with an RST packetNULL, XMAS and FIN scans don't work on Windows machines
44Nmap Scan Types Scan Type Description TCP SYN Send a SYN packet to each port and wait for an ACKTCP connectOpen a connection to each port.FINSend a FIN packet and wait for a RST, which means the port is closed.XMASSend a packet with the FIN, URG, and PUSH flags set and wait for a RST, which means the port is closedNULLSend a packet with the FIN, URG, and PUSH flags set to zero and wait for a RST, which means the port is closed.UDPSend a 0 byte UDP packet to each port and wait for an ICMP port unreachable message.IP ProtocolSend a raw IP protocol header packet without any protocol headers and wait for an ICMP protocol unavailable message.Idle scanUses a side channel to send a TCP port scan. (I.E. Broadcast node)ACK ScanSend an ACK packet to the port and wait for and RST packet.RPC scanFloods all open TCP and UDP ports with null RPC packets to determine if it is an RPC port.
45Laws regarding port scanning Port scanning is NOT illegalPort scanning is analogous to ringing someone’s doorbell to see if they’re homePort scanning is considered illegal only if a crime is committedRarely a company may be able to press charges if they’re being scanned so frequently that it is affecting their network’s performance
46NMAP- Root privilegesRoot privileges are needed to start services on a Unix/Linux system on a port between 1 and (these are reserved ports).This is to give users the assurance that the service was started up by a system administrator and not any (malicious) user of the system.Nevertheless, this does not protect against a vicious system administrator.
47Nmap Usage nmap [scan types] [options] <host or net …> Usage: The simplest way to call NMAP is to provide just an IP address as a parameter:NmapNMAP will do a quick scan of the most popular ports and return with a list of ports it found and their state.Keep in mind that the results by NMAP are not always 100% accurate, as the contacted machines may try to confuse or mislead port scannersThe larger the number of router/gateway boundaries that need to be crossed, the less reliable the results returned by nmap.Usage:nmap [scan types] [options] <host or net …>
49Nmap Scan OptionsWhen we use the command line in the Nmap tool instead of GUI, we need some option which listed with the command to define the type of scan methods.-sPThis option, also known as the “ping scanning” option, is for ascertaining as to which machines are up in a network.Under this option, nmap sends out ICMP echo request packets to every IP address in a network. Hosts that respond are upTo get around this, nmap can also send a TCP ACK packet to (by default) port 80. If the remote machine responds with a RST back, then that machine is up.Another possibility is to send the remote machine a SYN packet and waiting for a RST or a SYN/ACK.
50Nmap Scan Options -sV This is also referred to as “Version Detection”. After nmap ﬁgures out which TCP and/or UDP ports are open, it next tries to ﬁgure out what service is actually running at each of those ports.A ﬁle called nmap-services-probes is used to determine the best probes for detecting various services.In addition to determine the service protocol (http, ftp, ssh, telnet, etc.), nmap also tries to determine the application name (such as Apache httpd, ISC bind, Solaris telnetd, etc.), version number, etc
51Nmap Scan Options -sT : “T” option carries out a TCP connect() scan -sU : This option sends a dataless UDP header to every port. As mentioned earlier in this section, the state of the port is inferred from the ICMP response packet (if there is such a response at all).-sS : To carry out a port scan of your own machine, you could try (called as root) nmap -sS localhostThe “-sS” option carries out a SYN scan
52nmap -p 1-1024 -sT moonshine.ecn.purdue.edu Nmap Scan OptionsYou can limit the range of ports to scan with the “- p” option, as in the following call which will cause only the ﬁrst 1024 ports to be scanned:nmap -p sT moonshine.ecn.purdue.edu
53Behavior of nmapTo change this behavior, the following sort of a call to nmap may produce richer results (at the cost of slowing down a scan):nmap -sS -A -P0 moonshine.ecn.purdue.eduThe ’-P0’ option (the second letter is ’zero’) tells nmap to notuse ping in order to decide whether a machine is up.
54Lab session In this lab you will: use Nmap to identify the computers that are on the network,enumerate the ports on the computers that were located,and then look at the network traffic generated by these actions.You will then use Nmap to scan the ports stealthily and compare the method to the previous scan.To observe service banners, Telnet will be used to obtain the banners from IP/port combinations obtained from Nmap scans.
55Lap stepsStep 1: Start the Windows 2008 Server and Windows 7 machines. Only log on to the Windows 7 machine.Step 2: Start Wireshark.Step 3: Use Nmap to scan the network.Step 4: Analyze the output from Wireshark.Step 5: Use Nmap to scan open TCP ports.Step 6: Use Wireshark to analyze the scan.Step 7: Use Nmap to do a stealth scan on the computer.Step 8: Use Wireshark to analyze the scan.Step 9: Use Nmap to enumerate the operating system of the target computer.Step 10: Use Telnet to connect to the web server, FTP server, and SMTP banner.Step 11: Log off from the Windows XP Professional PC.