Presentation is loading. Please wait.

Presentation is loading. Please wait.

DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation.

Similar presentations


Presentation on theme: "DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation."— Presentation transcript:

1 DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation

2 About This Presentation  Assume basics –Understand IP addressing –Understand basic system administration  Tools –Where to find them –Basic usage  A “Network” point of view

3 About Me  NMRC:  BindView:

4 Know Your Target  Public information  Network enumeration  Network mapping

5 Public Information  Public records  WHOIS  DNS  Public postings

6 Network Enumeration  Goals of network enumeration  ICMP  Scanning  TCP Fingerprinting  Additional Probes

7 ICMP  Sweeping a network with Echo  Typical alternates to ping –Timestamp –Info Request  Advanced ICMP enumeration –Host or port unreachable with illegal header length

8 Scanning  Why scan?  Nmap – defacto standard –Ping sweeps –Port scanning –Additional features

9 TCP Fingerprinting  Several different type of packets sent  Various responses come back  Differences can determine OS of remote system  Using just ICMP is possible

10 Addition Probes  Possible security devices  Sweep for promiscuous devices

11 Network Mapping  Determine network layout  Traceroute  Firewalk

12 Bypassing the Firewall  Tools –Firewalk –Nmap  Common ports  State table manipulation

13 Avoiding Intrusion Detection  Manipulation of “detected” data  Use of fragmented packets  Triggering false positive, or distraction

14 Connecting the Dots  View each step as a small part of a big picture  Each step is important  Data could be stored for later use

15 Example Intrusion  WHOIS –DNS server names  Traceroute  DNS zone dump  Host enumeration  Public systems  Initial port scanning

16 WHOIS # whois Whois Server Version 1.1 Domain names in the.com,.net, and.org domains can now be registered with many different competing registrars. Go to for detailed information. Domain Name: TARGET-COMPANY.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: Name Server: NS1.TARGET-COMPANY.COM Name Server: NS2.TARGET-COMPANY.COM Updated Date: 06-dec-1999 >>> Last update of whois database: Mon, 20 Mar 00 03:35:14 EST <<< The Registry database contains ONLY.COM,.NET,.ORG,.EDU domains and Registrars.

17 Traceroute # traceroute ns1.target-company.com traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets 1 fw-gw ( ) ms ms ms 2 s1-0-1-access ( ) ms ms ms 3 dallas.tx.core1.fastlane.net ( ) ms ms ms 4 atm CR-1.usdlls.savvis.net ( ) ms ms ms 5 Serial1-0-1.GW1.DFW1.ALTER.NET ( ) ms ms ms ATM3-0.XR2.DFW4.ALTER.NET ( ) ms ms ms ( ) ms ms ms 8 dfw2-core2-pt4-1-0.atlas.digex.net ( ) ms ms ms 9 dfw2-core1-fa8-1-0.atlas.digex.net ( ) ms ms ms 10 swbell-net.demarc.swbell.net ( ) ms ms ms 11 ded2-fa1-0-0.rcsntx.swbell.net ( ) ms ms ms 12 target-company cust-rtr.swbell.net ( x.xxx) ms ms ms 13 ns1.target-company.com (xxx.xx.xx.xx) ms ms ms

18 Traceroute # traceroute ns2.target-company.com traceroute to ns2.target-company.com (xxx.xx.x.x), 30 hops max, 40 byte packets 1 fw-gw ( ) ms ms ms 2 s access ( ) ms ms s1-0-1-access ( ) ms 3 dallas.tx.core1.fastlane.net ( ) ms ms ms 4 FE-0.core2.fastlane.net ( ) ms ms ms 5 hs-9-0.a09.dllstx01.us.ra.verio.net ( ) ms ms ms 6 ge a10.dllstx01.us.ra.verio.net ( ) ms ms ms 7 g6-0.dfw2.verio.net ( ) ms ms ms 8 core4-atm-uni0-0-0.Dallas.cw.net ( ) ms ms ms 9 core2-fddi-0.Dallas.cw.net ( ) ms ms ms 10 border6-fddi-0.Dallas.cw.net ( ) ms ms ms 11 target-company-inet.Dallas.cw.net ( xxx.xxx) ms ms ms 12 ns1.target-company.com (xxx.xx.x.x) ms ms ms

19 DNS Zone Dump # nslookup Default Server: vortex.fastlane.net Address: > server ns1.target-company.com Default Server: ns1.target-company.com Address: xxx.xx.xx.xx > ls -a TARGET-COMPANY.COM > dump.txt [ns1.target-company.com] ################################################################################ ###################################################################### Received answers (0 records). >

20 Host Enumeration #./icmpenum -i 2 -c xxx.xx xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up xxx.xx is up

21 Public Systems  –www2, www3  ftp.target-system.com ftp.target-system.com  mail.target-system.com

22 Scanning # nmap -O -T Polite -n xxx.xx Starting nmap V. 2.3BETA14 by ( ) Interesting ports on (xxx.xx.17.11): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 79 open tcp finger 110 open tcp pop open tcp auth 143 open tcp imap2 TCP Sequence Prediction: Class=truly random Difficulty= (Good luck!) Remote operating system guess: Linux Nmap run completed -- 1 IP address (1 host up) scanned in 625 seconds # nmap -O xxx.xx Starting nmap V. 2.3BETA14 by ( ) No ports open for host (xxx.xx.17.11) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

23 More Scanning # nmap -F -sS -v -v -n firewall.target-system.com Starting nmap V. 2.3BETA14 by ( ) Host (xxx.xx.49.17) appears to be up... good. Initiating SYN half-open stealth scan against (xxx.xx.49.17) Adding TCP port 189 (state Firewalled). The SYN scan took 270 seconds to scan 1047 ports. Interesting ports on (xxx.xx.49.17): Port State Protocol Service 139 filtered tcp netbios-ssn 161 filtered tcp snmp 189 filtered tcp qft 256 filtered tcp rap 257 filtered tcp set 258 filtered tcp yak-chat Nmap run completed -- 1 IP address (1 host up) scanned in 273 seconds

24 Network Mapping cw swb Internet Routers

25 Network Mapping cw swb Internet Routers

26 Network Mapping Firewall DMZ cw swb VPN Internet Routers

27 Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

28 Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

29 Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers

30 Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers Linux xxx.xx.48.2 AIX xxx.xx.48.1 Checkpoint Firewall-1 Solaris 2.7 xxx.xx Checkpoint Firewall-1 Nortel VPN xxx.xx Cisco xxx.xxx Nortel CVX x.xxx IDS?

31 Basic Distributed Attack Models  Attacks that do not require direct observation of the results  Attacks that require the attacker to directly observe the results

32 Basic Model ServerAgent Client Issue commands Processes commands to agents Carries out commands

33 More Advanced Model TargetAttacker Forged ICMP Timestamp Requests ICMP Timestamp Replies Sniffed Replies

34 Even More Advanced Model Target FirewallFirewall

35 Even More Advanced Model Target FirewallFirewall Upstream Host

36 Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Master Node

37 Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Attacks or Probes Master Node

38 Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

39 Even More Advanced Model Target Attack Node Sniffed Replies Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

40 Even More Advanced Model Target Attack Node Sniffed Replies Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

41 (Mostly) Free Stuff  HackerShield RapidFire Update 208 –With SANS Top Ten checks, including comprehensive CGI scanner –http://www.bindview.com/products/hackershield/index.html  VLAD the Scanner –Freeware open-source security scanner, including same CGI checks as HackerShield –Focuses only on SANS Top Ten –http://razor.bindview.com/tools/index.shtml  Despoof –Detects possible spoofed packets through active queries against suspected spoofed IP address –http://razor.bindview.com/tools/index.shtml

42 Questions, etc.  Thanks to: –Ofin Arkin –Donald McLachlan  For followup: –http://www.nmrc.org/http://www.nmrc.org/ –http://razor.bindview.com/http://razor.bindview.com/


Download ppt "DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation."

Similar presentations


Ads by Google