Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presenter BIO Strengths Weakness Security Interests Something Fun.

Similar presentations


Presentation on theme: "Presenter BIO Strengths Weakness Security Interests Something Fun."— Presentation transcript:

1 Capital Area Cyber Security User Group CLASS 3 Active Information Gathering the Fine Art of Scanning

2 Presenter BIO Strengths Weakness Security Interests Something Fun

3 User group Objective Give students offensive knowledge to better defend computer networks Hands-on security training to compliment theory, put theories into practice “Tell me and I'll forget; show me and I may remember; involve me and I'll understand.” Knowledge sharing: the power of group learning

4 USER GROUP OBJECTIVE Contd.
Group Exercise: What do you seen in the following pictures? Face, bridge and women John Lennon 4

5 USER GROUP OBJECTIVE Contd.
Increase experience with a multitude of security aspects Network with other security-minded professionals Play in a safe lab environment not offered at work or home Earn CPEs to maintain certifications without high costs For CISSP Preparing and presenting 2 hour presentation = 8 CPEs Participating 1 hour = 1 CPE Updating existing presentation (see ISC2 chart for specifics) 5

6 USER GROUP OBJECTIVE Contd.
Have your questions answered, bring hard issues that require solutions Improve public speaking and training skills 6

7 CEH Certified Ethical Hacker Study Guide Kimberly Graves, 2010
Course Chapters: Chapter 1: Introduction to Ethical Hacking, Ethics, and Legality Chapter 2: Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering Chapter 3: Gathering Network and Host Information: Scanning and Enumeration Chapter 4: System Hacking: Password Cracking, Escalating Privileges, and Hiding Files Chapter 5: Trojans, Backdoors, Viruses, and Worms Chapter 6: Gathering Data from Networks: Sniffers Chapter 7: Denial of Service and Session Hijacking Chapter 8: Web Hacking: Google, Web Servers, Web Application Vulnerabilities, and Web-Based Password Cracking Techniques Chapter 9: Attacking Applications: SQL Injection and Buffer Overflows Chapter 10: Wireless Network Hacking Wi-Fi and Ethernet Chapter 11: Physical Site Security Chapter 12: Hacking Linux Systems Chapter 14: Cryptography Chapter 15: Performing a Penetration Test Amazon.com

8 Course Agenda Class 1: Methodologies and Lab Setup
Class 2: Passive Information Gathering Class 3: Active Information Gathering (Nessus) Class 4: Wireless and Wired Network Enumeration Class 5: Target System Penetration Class 6: Privilege Escalation, Maintaining Access, and Malware Class 7: Web Application Penetration Class 8: Covering Tracks, IDS, Reporting, and Cleanup Class 9: Metasploit Class 10: Physical Security (Lock Picking etc.) Class 11: Capture the Flag

9 Agenda Active Information Gathering Exercises Ping Port Scan
Operating System Fingerprinting Intrusion Detection Systems Exercises

10 DO NOT perform any activities from this course on any network/system or on a network connected device without proper permission! Make sure you have written permission and authorization to conduct these activities on any system. Conducting any activities related to penetration testing requires the consent of the owner of the target system and the internet service provider. Failure to obtain consent in the form of a legal contract can result in fines and imprisonment.

11 Information Systems Security Assessment Framework (ISSAF)

12 What We Know via Passive Information Gathering?
Critical Services Key Employees Partner Companies Company Website, IP and addresses Physical address and location Domain names Types of operating systems, databases, servers, protocols, and programming languages used (basic)

13 What is Active Information Gathering?
The process of searching for information that an attacker could potentially use to exploit the target network Identify live systems Map the network Types of operating systems, databases, servers, protocols, and programming languages used (in-depth) Identify system vulnerabilities

14 Why Do Active Information Gathering?
More information about the target can make the penetration test easier during the later phases “Know your enemies and know yourself, you will not be imperiled in a hundred battles.” –Sun Tzu, Art of War “Generally, a hacker spends 90 percent of the time profiling and gathering information on a target and 10 percent of the time launching the attack.” -Kimberly Graves “Good hackers will spend 90 – 95 percent of their time gathering information for an attack.” -Walker Increases success rate tenfold. In the Art of War the importance of spies to obtain information (watch/listen/report) is stressed, similarly it should not be overlooked as a means to gather information about the target.

15 Why Do Active Information Gathering?
Timing the Attack Example around patch releases Microsoft Patch Tuesday or Oracle CPU etc. Off hours such as holidays, vacations, or peak hours Increases success rate tenfold. In the Art of War the importance of spies to obtain information (watch/listen/report) is stressed, similarly it should not be overlooked as a means to gather information about the target.

16 Active Vs. Passive Information Gathering
Touch the device/network or talk to employees (vulnerability scan) Passive Do not communicate/touch the target such as google searching for publicly available information.

17 ICMP and Ping Internet Control Message Protocol (ICMP) is the part of the TCP/IP protocol suite used to send error messages for network diagnostics Ping is the most common type of ICMP message Used to verify network connectivity Sends an echo request to a system and waits for an echo response (only active systems respond) Cannot show which services a system is running

18 Ping Examples Active system response Inactive system response
 Question: What does this image tell you? System is down Or Blocked Build Your Own Security Lab

19 ICMP Message Types

20 Ping Sweep Command-line pinging only allows one system to be pinged at a time Use a ping sweep to scan a large number of systems SuperScan Angry IP Scanner Nmap Nmap’s –sn option uses ping and TCP packets to find live hosts Ping sweep technically is the scanning every address in a subnet and not just a few at a time. Some systems such as windows xp set a limit on number of IP to scan at one time during a ping sweep such as 10

21 Ping Defenses Many administrators block ping from passing the gateway device Ensure blocked activity is logged/notifications Configure rules, test, and monitor Disable running services to prevent ping from identifying active systems Shields Up is a scan that will show what ports and services are open on a local machine Netstat Currports alert tcp any any -> /24 any (flags: A; ack: 0; msg: "TCP ping detected";)

22 Shields Up

23 Netstat

24 Currports

25 Types of Scanning Port Scanning Network Scanning
Determine Open Ports and Services Network Scanning Identify IP address on a network/subnet Vulnerability Scanning Discover weaknesses on target systems

26 Scanning and the Law Do not scan without permission!
Can cause a DOS attack and go to Jail. ISP might drop your scanning attempts and/or blacklist you

27 CEH Scanning Methodology
Kimberly Graves CEH Book

28 When to Scan Determine when to scan
Don’t risk discovery if you already know the host is easy to hack If a specific host is well guarded, opt for a less guarded host or implement a different strategy such as social engineering

29 Port Scanning Port scanning probes the 65,535 TCP and UDP ports to discover listening services on a target system An attacker can determine the best means of attacking a system by knowing the open services and version numbers Most scans only look at first 1024 ports since those ports are often hacked FTP (20/21) Telnet (23) SMTP (25) DNS (53) TFTP (69) HTTP (80) SNMP (161/162)

30 Ports Malicious software default ports Weak protocol ports
port 1095 Remote Administration Tool – RAT port 7777 Tini port Trinoo port Back Orifice Weak protocol ports FTP (20/21) Telnet (23) Common Windows ports Locate common ports on windows: c:\windows\system32\drivers\etc\services

31 Ports Common Linux software based ports Common Apple Used Ports:
Look for software that only runs on a specific O/S Locate common ports on windows: c:\windows\system32\drivers\etc\services

32 Port States Open – accepting incoming requests
Closed – accessible but no application listening on it Filtered – firewall screening the port Unfiltered – determined to be closed, no firewall Open | Filtered – unsure if open or filtered Closed | Filtered – unsure if closed or filtered The six port states recognized by Nmap open An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network. closed A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next. filtered Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically. unfiltered The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open. open|filtered Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way. closed|filtered This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

33 TCP and UDP Applications use TCP/UDP ports to use the correct protocols for network communication TCP uses a three-step handshake to open a data link and a four-step shutdown to close the link A one-byte flag field controls communication (URG, ACK, PSH, RST, SYN, FIN) Nmap manipulates the flags to identify active systems UDP does not use handshaking, so it is faster but less reliable and easier to spoof. “Fire and Forget”

34 TCP Handshakes Startup Process Shutdown Process SYN
Sequence # 110 (+1) SYN ACK (Your) Sequence # 111 (My) Sequence # 225 (+1) Startup Process ACK (Your) Sequence # 226 (My) Sequence # 111 Data FIN Sequence # 310 (+1) ACK (Your) Sequence # 311 Shutdown Process FIN (My) Sequence # 415 (+1) ACK (Your) Sequence # 416

35 TCP Handshakes (Port Numbers in Use)

36 TCP Flags SYN –Initiates connection b/w hosts
ACK – Established connection b/w hosts PSH –System is forwarding buffered data URG –Data in packets processed quickly FIN –No more transmissions RST –Resets the connection SYN – Synchronize. Initiates connection b/w hosts ACK- Acknowledge. Established con b/w hosts PSH – Push. System is forwarding buffered data URG – Urgent. Data in packets processed quickly FIN – Finish. No more transmissions RST – Reset. Resets the connection

37 Scan Types and Responses
All scans will display RST for closed ports, except for an ACK scan which will return no response. Information about other scan types can be found online at

38 Other Scan Types RPC scan: determine if open ports are RPC ports
Idle scan: use idle host to bounce packets and make the scan harder to trace Open Port Idle Scan Closed Port Idle Scan IPID Probe IPID Response IPID = 12347 IPID Probe IPID Response IPID = 12345 IPID Probe IPID Response IPID = 12346 IPID Probe IPID Response IPID = 12345 Attacker Idle Host Attacker Idle Host SYN/ACK RST SYN SYN RST IPID = 12346 Victim Victim

39 Port Scanning Tools GUI-based Command line-based
Nmap, SuperScan Command line-based Nmap, hping2 Nmap is an open source network mapping and security auditing tool that modifies IP packets to gain information about active systems

40 Nmap Basic scan options: -sS (TCP SYN) -sT (TCP Full)
TCP Full Connect Example

41 Nmap Nmap switches: Ping options Scan Types Output Scan Speed
Can put output in xml for searching via grep or to import into a database. Normal output is just displayed in the screen. Scan Speed

42 Zenmap The free cross-platform Nmap GUI Additional features:
Save scan results Save scan options for repetitive scans Sort scans by host, port, and service Display scan results in a more user-friendly format Display a visual interpretation of traceroute Nmap.org

43 Hping2 hping2 --scan S localhost Scanning localhost ( ), port ports to scan, use -V to see all the replies |port| serv name | flags |ttl| id | win | 111 sunrpc : .S..A All replies received. Done. Not responding ports:

44 Defend Against Port Scanning
Only keep necessary ports open Periodically check for open ports and close unused ports Employee policies, training, and rules of behavior Filter traffic through a stateful inspection firewall IDS Change service banners so that they return incorrect information

45 Active OS Fingerprinting
Find high value targets and or weak targets Actively modify and send IP packets to the target to elicit a response that can identify the host operating system FIN probe, ACK value, Bogus Flag probe More accurately determine the target OS Nmap’s –O and xprobe2’s listening mode can actively identify operating systems The target computer can more easily detect active OS fingerprinting scans

46 Passive Stack Fingerprinting
Stealthier by examining traffic on the network Sniffing vs. Scanning Less accurate

47 Nmap Fingerprinting The -O option will try to match response packets to a database of known operating system fingerprints Nmap’s -sV option can identify service banners on open ports Limiters to speed up scans: -osscan-limit -max-os-tries

48 Defending Against OS Fingerprinting
Block unneeded or suspicious traffic at the firewall Use an Intrusion Detection System (IDS) Set access control lists (ACL) on routers to block suspicious traffic

49 Intrusion Detection Systems
Intrusion detection systems (IDSs): Inspect network/host activity Identify suspicious traffic and anomalies Snort, Suricata Two categories of IDS: Network-based intrusion detection systems Host-based intrusion detection systems IDSs are usually made of multiple software applications and/or hardware devices with the following systems Network sensors Central monitoring system Report analysis Database and storage components Response box Suricata open source IDS

50 IDS Engines Types of intrusion detection system engines or methods:
Signature-based Anomaly-based Database of attack signatures Generate and report alert Pattern matching Current Activity If matched Signature-based Learn and update normal activities Generate and report alert Compare with normal activities Current data Historical data If characteristic If uncharacteristic Anomaly-based

51 Active Information Gathering Tools
Ping Sweep Port Scan Passive OS Active OS GUI Command Line Host OS Nmap Win/Linux SuperScan Win Angry IP Scanner THC-Amap Linux TCPTraceroute p0f xprobe2

52 Scrutinizing Key Employees
Useful information to prepare for social engineering Debt (payoff) Disgruntled (layoffs from Mergers) Vacations Embarrassing information (blackmail) How to get this information: Run a credit report (illegal without permission) Find out via facebook status etc. Bugs/Cameras/Spies/Stakeout/Pick Pocket Positioning of monitors and the use of security/privacy screens

53 Social Engineering Key Employees
Kevin Mitnick – Father of social engineering At age 12, socially engineered bus driver to circumvent the punch card system for LA buses Went on to hacking phones, systems etc. and was captured and put in solitary confinement due to fears that he could launch a nuclear missile by whistling into a phone

54 WLAN Threat Wardriving – driving around a target with special equipment to record information about WAPs Equipment: laptop with a wireless network interface controller, GPS device, antennae and network discovery tools (Kismet) Warwalking – walking around or sitting near a target with a laptop and other equipment in a backpack Warflying

55 WLAN Threat Sniff Traffic on the WLAN for Operating Systems
Ports/Services Information Passwords Misc Sensitive Information

56 War Dialing Dial every number until find an unsecured modem
Kismet UI Main View Dial every number until find an unsecured modem Still a problem Modem backup connection Old and never retired Tools THC-Scan, PhoneSweep, and Telesweep Prevention No Modem Policy Strong Passwords Test for Modems using tools Look for Modems (desk to desk checks) 1983 the movie war games showcased the power of wardialing wardialing using THC-Scan

57 Hiding Your Active Information Gathering
Proxies The proxy is seen as performing bad activities instead of you Free proxies are available to use such as ProxyChains Anonymizer Caution: choose the right one, Anonymouse.org Useful for blocked sites ProxyChains uses multiple proxies to cover your tracks. Proxychain via backtrack tutorial

58 Hiding Your Active Information Gathering
Spoofing IP Address Nmap can spoof IP Caution: the data you want will go to the spoofed IP instead of you The Onion Routing (TOR) Anyone can be a TOR endpoint +/- Client bounces internet request via random TOR clients Tunneling Hiding Files

59 Summary You should now know specific information about the target system(s) By knowing the active devices, open ports, running services, and device operating system, you can search for vulnerabilities to exploit and use the listening services to gain more information Next class: Enumerating Target Systems Questions?

60 Lab: Active Information Gathering

61 Lab Overview Lab setup Exercises Ping sweep Port scan Banner grabbing
Passive OS identification Active OS identification Manual vulnerability identification Automated vulnerability identification (Nessus)

62 Course Lab Setup Host Operating System = Ubuntu (Linux)
Virtual Machine = Virtual Box VM’s = Backtrack, Windows (Guest PC and XP-1), badstore Each laptop has its own separate standalone lab environment How to start the lab environment… 1) Open Virtual Box 2) Ensure that the Backtrack VM is powered on 3) Logon to Backtrack (root/toor) and type startx 4) Set the static IP address (.100) 5) Ensure that the badstore VM has the badstore CD mounted and then start the VM 6) Configure the badstore VM IP address via the following command: ifconfig eth0 up netmask 62

63 Lab Scenario In the following Scenario, you will need to gather as much information about your target as possible that can be used in planning the attack. Your target is example.com. The company has hired you to confirm that there security awareness programs and policies are working as intended. In other words, they want you to confirm that employees do not open unnecessary ports /services or use unapproved software which increases the attack surface of the company.

64 Lab 3.1 Ping Sweep (nmap) We are going to do a ping sweep of the local subnet. Open a command line terminal in BackTrack Type nmap –sn /24 to perform a ping sweep over a range of IP addresses List the IP addresses of running hosts Type nmap -sn --send-ip to run the ping scan using ICMP ping. List the IP addresses of running hosts, has the number changed? If so, why? Open another command line terminal and type wireshark Use the file menu to open a pcap file, FileOpenDesktopLab3ping-blocked-pcap Review the pcap and note that ping is blocked -sn (No port scan) This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name. Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries. The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options, excluding -Pn) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.

65 Lab 3.1 Ping Sweep (nmap) Use the file menu to open additional pcap files, FileOpenDesktopLab3ping-blocked-pcap FileOpenDesktopLab3ping-allowed-timestamp-allowed- pcap FileOpenDesktopLab3 ping-blocked-timestamp-allowed- pcap Review and compare the pcap files -sn (No port scan) This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name. Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries. The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options, excluding -Pn) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.

66 Lab 3.1 Ping Sweep (superscan)
We are going to do a ping sweep of the local subnet. Open the super scan folder on Guest PC, C:\lab-tools\superscan Run superscan  SuperScan4.exe Type the start IP ( ) and end IP ( ) and press the arrow button. From the “Host and Services Discovery Tab” uncheck “UDP port scan” and “TCP port scan” Then press the play button to perform a ping sweep over a range of IP addresses List the IP addresses of running hosts

67 Lab 3.1 Ping Sweep (superscan contd.)
Now try the same IP range again but with the following settings From the “Scan Options” Tab, uncheck “hide systems with no open ports” and rerun the scan Note the number of systems now and the information provided View the final scan via the “view html results” button

68 Lab 3.1 Ping Sweep (angryip)
Note windows XP/Vista limitations To change it to a port scan from just a host discovery scan, On the “Ports” tab in the port selection box type 1-147, press ok

69 Lab 3.1 Ping Sweep (angryip)
We are going to do a ping sweep of the local subnet. Open angryip from the Guest PC. Navigate to c:\lab- tools\angryip, run the .exe file Type the IP range From the file menu select toolspreferences, on the “scanning” tab check “scan dead hosts” Press the start button to perform a ping sweep over a range of IP addresses List the IP addresses of running hosts and note the duration of the scan and compare it to the nmap scan. To change it to a port scan from just a host discovery scan, On the “Ports” tab in the port selection box type 1-147, press ok

70 Lab 3.1 Ping Sweep (zenmap)
We are going to do a ping sweep of the local subnet. Open zenmap via the Backtrack command terminal: zenmap Type the subnet to scan /24 and choose the ping scan profile and then press scan to perform a ping sweep over a range of IP addresses List the IP addresses of running hosts Press ctrl+p or from the menuprofilenew profile, review the options and note the hints for each option

71 Lab 3.1 Ping Sweep (nessus)
We are going to do a ping sweep of the local subnet. Open nessus via the “Nessus Client” shortcut on the Guest PC desktop. (username = visitor, password= qwerty) From the scan tab, launch the “host discovery” scan to perform a ping sweep over a range of IP addresses List the IP addresses of running hosts Review the scan results Open My Documents and then open the pcap files to compare the pcap of nmap host discovery vs nessus host discovery pcap Which pcap is larger and nosier?

72 Lab 3.2 Port Scanning Now that we know what hosts are running, we can port scan them. Open a command line terminal in BackTrack Type nmap and hit Enter to view a list of options Type nmap –sT your_target_IP_address to perform an Nmap full connect scan List the open ports and services Can you guess the OS from the services? Use –vv to increase the verbosity of the scan output Run the other Nmap scan options and note new information -sS, -sA, -sF, -sV Save scan results using –oN and –oX -oN = normal -oX = xml Example nmap -sT oX test.xml

73 Lab 3.2 Port Scanning Now that we know what hosts are running, we can port scan them. Open a command line terminal in BackTrack Type wireshark and hit Enter Use the file menu to open additional pcap files, FileOpenDesktopLab3tcp-connection-example Note the three step handshake capture in the pcap. -oN = normal -oX = xml Example nmap -sT oX test.xml

74 Lab 3.2 Port Scanning (Nessus)
Open Nessus, and from the “scan” tab luanch the port scan Review the scan results and note the open ports Review the scan policy and note the difference between the host discovery and port scan policies Ping only (no syn) Also ports scan 0-1, to disable port scan

75 Lab 3.2 Port Scanning (CurrPorts)
Run CurrPorts C:\lab-tools\currports\cports.exe CurrPorts will run immediately and will display all ports on your machine Select a port and to to FileProperites. Review the process ID, port number, and other info. You can close a suspicious connection via FileClose Selected TCP Connections. Ensure that XP-1 host is up. From Guest PC, open a command terminal and type: telnet Refresh CurrPorts, and note the suspicious telnet connection. Follow step 4 above to close the connection.

76 Lab 3.2 Port Scanning (netstat)
From the Guest PC command prompt type netstat /? And review the help file Type netstat –a –p tcp 10 List the open ports and services and compare to the nmap/nessus results (optional) Ensure that XP-1 host is up. From Guest PC, open a command terminal and type: telnet (optional) Review the netstat command and note the telnet connection -a = all connections and listening -p = protocol ex. Tcp, udp 10 = interval refresh in seconds

77 Lab 3.3 (a) netcat Banner Grabbing
We will now try to gain some information from the services listening on the open ports. Open a command line terminal in BackTrack You will now use the vi text editor to write a simple text file containing some HTTP commands Type vi head.txt to open a new text file called “head.txt” and hit i to insert text Type the following: GET HEAD / 1.0 CR Hit Esc to stop inserting text, then hit Shift+z+z to save the file and quit the editor You will now use netcat to try to gain some information from the open port 80 on the target. Type nc –vv < head.txt What software and OS is the server running? Type either vi, nano, gedit to learn the basic linux text editors The nc is the netcat command, -vv is for very verbose output, the < is to input the file head.txt into the netcat command

78 Lab 3.3 (b) telnet Banner Grabbing
We will now try to gain some information from the services listening on the open ports. Open a command line terminal in BackTrack Type : telnet GET HEAD / 1.0 What software and OS is the server running? HTTP/ Bad Request Date: Sun, 18 Mar :11:09 GMT Server: Apache/ (Unix) mod_ssl/ OpenSSL/0.9.7c Connection: close

79 Lab 3.4 Passive OS Identification
We are going to find out what operating system is running on one of Google’s servers. Open a command line terminal in BackTrack and set the DHCP IP address by typing dhclient eth3 Then Type: p0f –A Open a web browser and go to freebsd.org Take note of the output in the terminal window Hit Ctrl+C to stop running p0f Open Ettercap by typing ettercap –G and start unified sniffing on eth3 Navigate to ViewProfiles Navigate to StartStart Sniffing Go to freebsd.org again Take note of the output in the Ettercap window Compare to Backtrack with NIC in promiscuous mode P0f does not work most of the time.

80 Lab 3.5 Active OS Identification
We are going to perform active OS fingerprinting with Nmap and xprobe2 Open a command line terminal in BackTrack and type nmap –O your_target_IP_address (that is a capital O) to perform an operating system fingerprint What is the general OS of the Windows machine? Now use xprobe2 to perform host discovery. From backtrack menu, applicationBacktrackInformation GatheringNetwork AnalysisOS Fingerprintingxprobe2 Type ./xprobe2 your_target_IP_address What is the best guess OS of the target?

81 Lab 3.5 Active OS Identification (Nessus)
We are going to perform active OS fingerprinting with Nessus. From the scan tab, launch the “OS Discovery Scan” Review the results and note which plugin is used for OS discovery Compare the OS results to the NMAP results Review the scan policy to see how OS discovery is enabled

82 Lab 3.6 Anonymous scanning (Spoof IP)
From a command line in Backtrack type: wireshark Sniff traffic on eth3 Open a command line terminal in BackTrack and type nmap -S e eth Note that the responses do not go to your machine Note that a spoofed IP can be used to frame a competing company and not just to hide your identify Note the source address and target address in the pcap Type wireshark and hit Enter Use the file menu to open additional pcap files, FileOpenDesktopLab3spoofed-ip-example

83 Lab 3.6 Anonymous scanning (Anonymizer)
From the ubuntu machine use the web browser and navigate to Choose English Click on Your Calling Card without Anonymouse and Your Calling Card with Anonymouse to compare the results. Enter a website to search anonymously and press the “surf anonymously” button

84 Lab 3.7 (a) Finding Vulnerabilities (US Cert)
Review vulnerabilities at US Cert: cert.gov/cas/bulletins/ (released every Monday, always one week behind) Pick a vulnerability based on OS/Service in the environment to review and note the following items: The CVE reference number Impact Scores (the higher the score the greater the impact) Vulnerable Versions National Vulnerability Database (nvd.nist.gov) Exploit-Database (exploit-db.com) Securitytracker (www.securitytracker.com) Securiteam (www.securiteam.com) Hackerstorm Vulnerability Research (www.hackerstorm.com) Hackerwatch (www.hackerwatch.org) SecurityFocus (www.securityfocus.com) Security Magazine (www.securitymagazine.com) SC Magazine (www.scmagazine.com) Impact Score: Metric: AV = AccessVector (Related exploit range) Possible Values: L = Local access, A = Adjacent network, N = Network Metric: AC = AccessComplexity (Required attack complexity) Possible Values: H = High, M = Medium, L = Low Metric: Au = Authentication (Level of authentication needed to exploit) Possible Values: N= None required, S= Requires single instance, M= Requires multiple instances Metric: C = ConfImpact (Confidentiality impact) Possible Values: N = None, P = Partial, C = Complete Metric: I = IntegImpact (Integrity impact) Possible Values: N = None, P = Partial, C = Complete Metric: A = AvailImpact (Availability impact) Possible Values: N = None, P = Partial, C = Complete

85 Lab 3.7 (b) Finding Vulnerabilities (OSVDB)
Use Hackerstorm to review vulnerabilities Go to to start the OSVDB hackerstorm tool Click the OSVDB search button at the bottom of the home screen. Scroll through the vendors and choose Putty, and then click the view button. From the next screen choose view all. Review the vulnerabilities listed and click one to view details. From the tool you can see the description, solution, references, etc. Note that this tool make it easy to search for vulnerabilities both old and new by vendor etc.

86 Lab 3.7 (c) Finding Vulnerabilities (Nessus)
From the Nessus scan tab, launch the “Internal Network Scan” Review the scan results and look for vulnerabilities that are exploitable Review the and investigate patches that can be applied to fix an exploitable vulnerability Review the vulnerability via US CERT

87 Resources http://www.dc-cybersecurity.com/
Guide/dp/ /ref=sr_1_1?s=books&ie=UTF8&qid= &sr=1-1 Lab/dp/ /ref=sr_1_1?s=books&ie=UTF8&qid= &sr=1-1 Oceans 11 clip: photos-go-online-in-new-archive html?action=gallery&ino=6 people.yahoo.com

88 Resources http://www.backtrack-linux.org/ http://www.de-ice.net/
National Vulnerability Database (nvd.nist.gov) Exploit-Database (exploit-db.com) Securitytracker (www.securitytracker.com) Securiteam (www.securiteam.com) Hackerstorm Vulnerability Research (www.hackerstorm.com) Hackerwatch (www.hackerwatch.org) SecurityFocus (www.securityfocus.com) Security Magazine (www.securitymagazine.com) SC Magazine (www.scmagazine.com) surveillance/ 88

89 Resources surveillance/ Sarah Palin 89

90 Resources http://www.hackerstorm.com/start.html
engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Too lkit_(SET) 90

91 CEH Certified Ethical Hacker
List of Tools PDF mapping tools to the different phases of Pen testing. Review the list of tools and pick tools that you know and can demonstrate or that you would like to learn more about. CEH Certified Ethical Hacker All-in-One Exam Guide Amazon.com

92 Parking lot Topics Social Engineering Toolkit Maltego

93 Suggestions for Improvement
TBD


Download ppt "Presenter BIO Strengths Weakness Security Interests Something Fun."

Similar presentations


Ads by Google