Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITIS 6167/8167: Network Security Weichao Wang. 2 OS detection through TCP/IP fingerprint DNS and its security.

Published byBrenda Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "ITIS 6167/8167: Network Security Weichao Wang. 2 OS detection through TCP/IP fingerprint DNS and its security."— Presentation transcript:

1 ITIS 6167/8167: Network Security Weichao Wang

2 2 OS detection through TCP/IP fingerprint DNS and its security

3 3

4 4 OS detection through TCP/IP fingerprint Reasons to detect OS –Determine vulnerability of target hosts –Tailor exploits –Network inventory

5 5 Nmap Nmap (“Network Mapper”) uses IP packets to determine what hosts are available on the networks, what services those hosts are offering (application name and version), what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap is free software, available with full source code at http://www.nmap.org/

6 6 NMAP has been used in many movies

7 7 Host Discovery TCP SYN Probe: –Remote side reply ACK or RST TCP ACK Probe –Remote side return RST UDP Probe –Use an uncommon UDP port (most time closed) –Get an ICMP port unreachable report ICMP Echo Request/Ping ICMP Timestamp Request ICMP Netmask Request

8 8 ARP Probes –Why ARP scan? When you use ICMP ping scan, the OS needs to send out ARP request to figure out the MAC address –You are sending millions of ARP request. OS is not designed for this –NMAP directly control ARP and send out ARP requests

9 9 Intense Discovery! # nmap –sP –PE –PP –PS21,22,23,25,80,113,21339 –PA80,113,443,10042 –source-port 53 –n –T4 –iR 10000 [ … lots of IPs … ] Host a.b.c.d appears to be up. Host w.x.y.z appears to be up. Nmap finished: 10000 IP addresses (699 hosts up) scanned in 2016.564 seconds

10 10 NMap – Port Scanner Purpose of port scanner Identify unused/unauthorized services in the network Example: Unauthorized ftp service, Trojan software Discover unused/rogue devices in the network Example: Unauthorized notebook computer

11 11 NMap – Port Scanner Output

12 12 NMap – Port Scanner Example

13 13 NMap – Port Scanner Example

14 14 Port scan –There are many more tools other than TCP SYN scan –Be careful of the scan results. Sometime they are misleading Implementation not following the RFC OS intentionally confuse scanner

15 15 TCP scan –Send only the SYN packet If receive SYN/ACK, the port is open If receive RST, non-listener on the port If receive no response or ICMP error reports, the port is filtered

16 16 UDP scan –Many UDP ports are open: DNS, SNMP, DHCP, etc –Send an empty UDP header (no data) to target ports –Problem of UDP scan Too slow. Many OS restrict the speed to send out ICMP unreachable packets. E.g. Linux and Solaris are 1 pkt/sec. If no response, UDP packets will be resent. This also takes a long time.

17 17 TCP NULL, FIN, and Xmas Scan Use combinations of TCP flag bits to distinguish an open port from a closed port –Null scan Does not set any bits –FIN scan Sets just the TCP FIN bit –Xmas scan Sets the FIN, PSH, and URG flags

18 18 TCP ACK scan –Try to tell whether or not the port is filtered –Just set the ACK bit –If the port is not filtered (the ack pkt reaches the port), you will receive a RST –If ICMP error report is received, label the port as filtered

19 19 TCP Window scan –Almost the same as the ACK scan –But look at the window size in the returned RST packet A positive window size shows an open port A Zero window size shows the port is closed

20 20 Idle Scanning Uses IPID on a quiet host (zombie) to check for open ports on other hosts. Nmap spoofs as the zombie sending packets to the victim Polls the zombie to see if IPID has incremented (received RST from victim when not expecting)

21 21

22 22 FTP bounce scan –Use FTP proxy connection –A user connects to server 1, ask files to be sent to host 2 –Uses the ftp server to scan a host’s port

23 23 OS detection –Send multiple TCP, UDP, and ICMP probes to open or closed port of the machine –In TCP packets, the following information is used: Sequence number TCP options Window size Congestion control MSS size, timestamp

24 24 In ICMP packets, the following information is used: –Handle of DF bit –TOS service –ICMP code –ICMP identifier

25 25 In UDP packet, the following information is used: –UDP port number –Handle of data contents In summary, dozens of attributes are used to fingerprint the OS

26 26 OS detection –Send dozens of ICMP, TCP, UDP packets to the host –Analyze every bit of the reply –Map the results to known fingerprint of OS

27 27

28 28 DNS: Domain name service Motivation: –People cannot remember IP address, they want something easier to remember DNS in early days (ARPANET) –A flat space without structure –A centralized site to maintain: a file named hosts.txt at SRI –Advantages: short names –Problem: scalability, conflict, maintain copies

29 29 Hierarchical names –Decentralized name mechanism: delegating authority and distributing responsibility –Authoritative name servers for each domain can assign other authoritative name servers for their sub- domains –Advantages: distribute, fault tolerant, avoid central register –Works like a large company Partitioned at every level The authority for names in subdivisions is passed to designed agents

30 30 DNS: two things –Name syntax and rules for delegation –Ways for implementation so that we can efficiently map names to IPs DNS Syntax –Set of labels separated by period –Every level will not be longer than 63 bytes –At most 127 levels –The whole domain name should not longer than 253 bytes

31 31 Example –sis.uncc.edu is a domain –uncc.edu is also a domain –Top-level domain is edu

32 32 Top level domains

33 33 New top level domains

34 34 Domain is not necessarily a geo concept: –Ten hosts with different names under research.hp.com can be distributed at different branches

35 35 Mapping domain name to address –Name server: accomplish the translation –Client: generate the request –Servers arranged in tree structure –Given server handle the entire subtree –There are 13 (maybe more now) root servers around the world Distribute workload Improve safety

36 36

37 37 In practice: –Single server can handle multiple levels of naming tree –For example, root server handles all top level domains –Circular dependencies and glue records –DNS can be used to achieve email blacklist

38 38 Efficient translation –Facts: Most lookups refer to local names –In machines, you can set up frequently used suffix Name-address maps change infrequently User likely to search the same sites –Initial contact begins with the local DNS server

39 39 Caching: servers cache answers –Local server maintain caches –Bindings change infrequently –TTL for each entry Set by the authoritative server Negative entries have the TTL of 600 seconds –Because of caching, not everyone is necessarily seeing the same thing

40 40 Two types of queries –Recursive: usually used by the client –Iterative: used by local DNS server

41 41 Recursive query: –A resolver sends a recursive query to a name server. –The queried name server is obliged to respond with the requested data or with an error stating that data of the requested type don't exist or that the domain name specified doesn't exist. –The name server can't just refer the querier to a different name server, because the query was recursive.

42 42 Recursive query: –If the queried name server isn't authoritative for the data requested, it will have to query other name servers to find the answer. –It could send recursive queries to those name servers, thereby obliging them to find the answer and return it. –it could send iterative queries and possibly be referred to other name servers "closer" to the domain name it's looking for. –Current implementations are polite and do the latter, following the referrals until an answer is found. –The recursive query should contain the whole query, instead of a shorter version or explicit query. Why Efficiency and the server may not existing –Be careful of the circular dependency

43 43 Iterative process: –In iterative resolution, a name server simply gives the best answer it already knows back to the querier. –No additional querying is required. –The queried name server consults its local data, looking for the data requested. If it doesn't find the data there, it makes its best attempt to give the querier data that will help it continue the resolution process. Usually these are the domain names and addresses of the closest known name servers.

44 44

45 45 Inverse mapping: –Start from IP address, and find out the labels –Use IP address as part of the domain label –Use the IP address in the reverse order since the first byte usually represents more information 222.33.44.3  3.44.33.222.in-addr.arpa –Many name servers do not support this any more

46 46

47 47 DNS port number –TCP and UDP port 53 –Most of the time we use UDP port –TCP is used for Requests with large size (longer than 512 bytes) Zone transfer

48 48 Resource records: –Store the domain name data –Can be of different types: A: address MX: mail exchanger NS: name server Etc –Wildcard DNS records

49 49 ISI.EDU. MX 10 VENERA.ISI.EDU. MX 10 VAXA.ISI.EDU. VENERA.ISI.EDU. A 128.9.0.32 A 10.1.0.52 VAXA.ISI.EDU. A 10.2.0.27 A 128.9.0.33

50 50 The difference b/w domain and zone –This is important. The name server may know its zone instead of the whole domain –A zone consists of a collection of connected nodes served by an authoritative name server. –A single name server can host multiple zones –A zone contains the domain names in this domain, except for those in delegated subdemains –A domain contains more information than the name server would need.

51 51 Information defines a zone –Authoritative data for all nodes within the zone –Data that defines the top node of the zone –Data that describes delegated subzones –Data that allows access to name servers for subzones: avoid egg-chicken situation –The servers for a zone do not need to reside in a host in that domain –Zones are described by Resource Records

52 52 Domain server message format: –Can ask multiple questions in a single message (need to identify number of questions) –You need to identify the domain name, class (internet), and type –How to represent domain names: Multiple labels Each label with a length byte A length byte 0 identifies the end May also use a pointer (two bytes)

53 53 The query would look like: +----------------------------------------------------------------------+ Header | OPCODE=SQUERY | +-----------------------------------------------------------------------+ Question | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A | +-----------------------------------------------------------------------+ Answer | | +-----------------------------------------------------------------------+ Authority | | +-----------------------------------------------------------------------+ Additional | | +-----------------------------------------------------------------------+

54 54 The response would look like: +----------------------------------------------------------------------+ Header | OPCODE=SQUERY, RESPONSE, AA | +-----------------------------------------------------------------------+ Question | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A | +-----------------------------------------------------------------------+ Answer | SRI-NIC.ARPA. 86400 IN A 26.0.0.73 | | 86400 IN A 10.0.0.51 | +-----------------------------------------------------------------------+ Authority | | +-----------------------------------------------------------------------+ Additional | | +-----------------------------------------------------------------------+

55 55

56 56 Security problems of DNS –Protocol based attacks: based on how DNS works –Server attacks: based on the bugs of the programs or machines running DNS

57 57

58 58 Protocol attacks: –DNS spoofing –DNS ID hacking –DNS cache poisoning Cache poisoning: –Map a domain to an attacker’s IP –Usually through related or unrelated data attacks

59 59 DNS spoofing: –Answer DNS queries intended to another server –May need to guess DNS request identification (16 bits) and source UDP port number

60 60 Unrelated data attack –The hacker asks the victim DNS for a non- existing name mapping to a server under its control. Use “recursive” request to hide itself –When the victim DNS asks the malicious server, provide unrelated information to poison the victim –Have been fixed now: forbid any unrelated data

61 61

62 62 Related data attack –The attack procedure is the same, but have to make the data related –Use MX, CNAME, and NS records of the same domain –These records do not provide real IP but just another domain –Can poison the cache of the victim –Have been fixed: rejecting any out of zone data

63 63 DNS ID hacking

64 64 If the attacker can eavesdrop on the packet: –Can easily find the ID and port number If not on the same network –Have to guess the ID and UDP port –Some DNS server uses continuous numbers for ID –How to really do it?

65 65 Server attack of DNS –Buffer overflow of the DNS software –DoS attacks About 33% DNS servers are spoofable Attack through zone transfer

Download ppt "ITIS 6167/8167: Network Security Weichao Wang. 2 OS detection through TCP/IP fingerprint DNS and its security."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.

Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.
IP Network Scanning.

IP Network Scanning.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
COS 420 DAY 23. Agenda Assignment 4 Corrected 2 B’s Assignment 5 posted Chap 22-26 Due May 4 Final exam will be take home and handed out May 4 and Due.

COS 420 DAY 23. Agenda Assignment 4 Corrected 2 B’s Assignment 5 posted Chap Due May 4 Final exam will be take home and handed out May 4 and Due.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Chapter 25 Domain Name System.

McGraw-Hill©The McGraw-Hill Companies, Inc., Chapter 25 Domain Name System.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Domain Name System: DNS

Domain Name System: DNS
Computer Security and Penetration Testing

Computer Security and Penetration Testing
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
DOMAIN NAME SYSTEM. Introduction  There are several applications that follow client server paradigm.  The client/server programs can be divided into.

DOMAIN NAME SYSTEM. Introduction  There are several applications that follow client server paradigm.  The client/server programs can be divided into.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

Similar presentations

Ads by Google