Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

Published byLesley Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning."— Presentation transcript:

1 CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning

2 CIT 380: Securing Computer SystemsSlide #2 FTP Bounce Scan FTP protocol supports proxy ftp –Client requests server send file to another IP, port. –If server can open connection, port is open. Advantages: –Hide identity of scanning host. –Bypass firewalls by using ftp server behind firewall. Disadvantages: –Most ftp servers no longer support proxying. –Printer ftp servers often do still support.

3 CIT 380: Securing Computer SystemsSlide #3 Idle Scan Use intermediate idle host to do scan. –Idle host must increment IP ID for each packet. –Idle host must not receive traffic from anyone other than attacker. Scan Process 1.Attacker connects to idle host to obtain initial IP ID X. 2.Send SYN packet to port Y of target with spoofed IP of idle host. 3.If port is open, target host will send SYN+ACK to idle host. 4.Idle host with send RST packet with IP ID X+1 to target. 5.Attacker connects with SYN to idle host to obtain updated IP ID. 6.Idle host sends back SYN+ACK to attacker. Note that this action will increment IP ID by 1. If IP ID is X+2, then port Y on target is open. Advantages: hides attacker IP address from target.

4 CIT 380: Securing Computer SystemsSlide #4 UDP Scans Send 0-byte UDP packet to each UDP port UDP packet returned Port is open ICMP port unreachable Port is closed Nothing Port listed as open|filtered Could be that packet was lost. Could be that server only returns UDP on valid input. Disadvantages: –ICMP error rate throttled to a few packets/second (RFC 1812), making UDP scans of all 65535 ports very slow. –MS Windows doesn’t implement rate limiting.

5 CIT 380: Securing Computer SystemsSlide #5 Version Scanning Port scanning reveals which ports are open –Guess services on well-known ports. How can we do better? –Find what server: vendor and version –telnet/netcat to port and check for banner –Version scanning

6 CIT 380: Securing Computer SystemsSlide #6 Banner Checking > nc www.nku.edu 80 GET / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Sun, 07 Oct 2007 19:27:08 GMT Server: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7a Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 127 400 Bad Request Bad Request Your browser sent a request that this server could not understand. client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

7 CIT 380: Securing Computer SystemsSlide #7 Version Scanning 1.If port is TCP, open connection. 2.Wait for service to identify self with banner. 3.If no identification or port is UDP, 1.Send probe string based on well-known service. 2.Check response against db of known results. 4.If no match, test all probe strings in list.

8 CIT 380: Securing Computer SystemsSlide #8 nmap version scan > nmap -sV at204m02 (The 1645 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99) 80/tcp open http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2) 111/tcp open rpcbind 2-4 (rpc #100000) 443/tcp open ssl/http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2) 515/tcp open printer? 2049/tcp open nfs 2-3 (rpc #100003) 4045/tcp open nlockmgr 1-4 (rpc #100021) 5432/tcp open postgres? 5901/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11? 32775/tcp open status 1 (rpc #100024)

9 CIT 380: Securing Computer SystemsSlide #9 More nmap Tools Set source port –Bypass firewall by using allowed source port. –Use port 80 for TCP, port 53 for UDP scans. Decoys –Send additional scans from list of decoys. –Spoof IP addresses of decoy hosts. –Defender has to investigate decoys + attacker.

10 CIT 380: Securing Computer SystemsSlide #10 Defenses Prevention –Disable unnecessary services. –Block ports at firewall. –Use a stateful firewall instead of packet filter. Detection –Network Intrusion Detection Systems. –Port scans often have distinct signatures. –IPS can react to scan by blocking IP address.

11 CIT 380: Securing Computer SystemsSlide #11 OS Fingerprinting Identify OS by specific features of its TCP/IP network stack implementation. –Explore TCP/IP differences between OSes. –Build database of OS TCP/IP fingerprints. –Send set of specially tailored packets to host –Match results to identical fingerprint in db to identify operating system type and version.

12 CIT 380: Securing Computer SystemsSlide #12 nmap OS fingerprint examples > nmap –O at204m02... Device type: general purpose Running: Sun Solaris 8 OS details: Sun Solaris 8 Uptime 10.035 days (since Sat Mar 27 08:59:38 2004) > nmap –O 10.17.0.1 … Device type: router Running: Bay Networks embedded OS details: Bay Networks BLN-2 Network Router or ASN Processor revision 9

13 CIT 380: Securing Computer SystemsSlide #13 OS Fingerprinting Techniques FIN probe –RFC 793 requires no response –MS Windows, BSDI, Cisco IOS send RST Bogus flag probe –Bit 7 of TCP flags unused –Linux <2.0.35 keeps flag set in response TCP ISN sampling –Different algorithms for TCP ISNs IP Identification –Different algorithms for incrementing IPID

14 CIT 380: Securing Computer SystemsSlide #14 Passive Fingerprinting Identify OSes of hosts on network by sniffing packets sent by each host. Use similar characteristics as active technique: –TTL –MSS –Initial Window Size –Don’t Fragment bit Tools: p0f

15 CIT 380: Securing Computer SystemsSlide #15 Fingerprinting Defenses Detection –NIDS Blocking –Firewalling –Some probes can’t be blocked. Deception –IPpersonality changes Linux TCP/IP stack signature to that of another OS in nmap db.

16 OS Mapping www.netcraft.com CIT 380: Securing Computer SystemsSlide #16

17 CIT 380: Securing Computer SystemsSlide #17 References 1.William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, 2003. 2.Fyodor, “The Art of Port Scanning,” http://www.insecure.org/nmap/nmap_doc.html http://www.insecure.org/nmap/nmap_doc.html 3.Fyodor, NMAP man page, http://www.insecure.org/nmap/data/nmap_manpage.html http://www.insecure.org/nmap/data/nmap_manpage.html 4.Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting- article.html 5.Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3 rd edition, O’Reilly & Associates, 2003. 6.Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004. 7.Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 5 th edition, McGraw-Hill, 2003. 8.Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.

Download ppt "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.

Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Port Scanning.

1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
CSC 482/582: Computer Security

CSC 482/582: Computer Security
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz.

Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.

Similar presentations

Ads by Google