1. EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning

2. EECS 4980/6980: Computer SecuritySlide #2 Topics Low Tech Reconnaissance Network Information Sources DNS Zone Transfers Network Mapping Port Scanning Stealth Scanning Version Identification Defences OS Fingerprinting

3. EECS 4980/6980: Computer SecuritySlide #3 Reconnaissance Collecting security-relevant information about an organization, including: –Locations –Related entities –Personnel: names, phone numbers, email addrs –Privacy or security policies –Network and system configuration –Remote access methods

4. EECS 4980/6980: Computer SecuritySlide #4 Low Tech Reconnaissance 1.Social Engineering 2.Physical Break-In 3.Dumpster Diving

5. EECS 4980/6980: Computer SecuritySlide #5 Social Engineering Attacker uses pretext to deceive organization member into giving out confidential information. Pretexts include personas and reasons: Personas –New employee –Sysadmin –Manager Reasons –Lost password –Contact name/phone –Reset password

6. EECS 4980/6980: Computer SecuritySlide #6 Social Engineering Defences Security Policy –Secure method for password resets. –No requests for passwords. Security Awareness Program –Educate personnel about social attacks. –Educate personnel about security policy.

7. EECS 4980/6980: Computer SecuritySlide #7 Physical Break-In Methods of Entry –Employment. –Enter on someone else’s coat tails. Physical Access –Already logged in system. –System with password written down nearby. –Install hardware/software key loggers. –Plug in laptop to Ethernet port. –Take removable media or even hard disks.

8. EECS 4980/6980: Computer SecuritySlide #8 Physical Defences Security Policy –Personnel cannot enter without card. –No coat-tailing. –Policy for ID card replacement/temporary IDs. Security Mechanisms –Card reader access. –Guards. –Automatic screen locks after 5 minutes. –Locked file cabinets/drawers. –Encryption.

9. EECS 4980/6980: Computer SecuritySlide #9 Dumpster Diving Search trash for sensitive information –Usernames and passwords, –Phone directories, –Network diagrams, etc. 2000: Oracle hired IGI (a PI company) to investigate pro-Microsoft groups. –IGI searched trash to discover MS funding of supposedly independent advocacy groups.

10. EECS 4980/6980: Computer SecuritySlide #10 Defences Against Dumpster Diving Security Policy –Require special disposal of confidential data. –Includes paper, floppies, etc. Security Mechanisms –Paper shredder. –De-gausser. –Burning.

11. EECS 4980/6980: Computer SecuritySlide #11 Information Resources Organization web site –Check HTML source for comments. –Check robots.txt for interesting files. Usenet postings –Search groups.google.com for “@org ” postings –comp.security.*, comp.unix.* Search news sources about organization: –finance.yahoo.com –news.google.com –Edgar database (www.sec.gov/)www.sec.gov/ Send email to invalid address @org –Identify mail server vendor and version. –Email server topology and antivirus defences.

12. EECS 4980/6980: Computer SecuritySlide #12 Google Hacking: Keywords site: for site-specific searches –site:orgname –keywords: dial, dialup, login, password –job postings listing required programs/technologies link: find related sites –link:sitename cache: see deleted pages or old versions –cache:sitename

13. EECS 4980/6980: Computer SecuritySlide #13 Google Hacking: Finding Directory Listings intitle: for text in title, not body. –intitle:index.of “parent directory” –intitle:index.of name size Combine with site: to specify your target.

14. EECS 4980/6980: Computer SecuritySlide #14 Google Hacking: Finding Passwords UNIX Passwords intitle:"Index of..etc" passwd MySql History (often includes passwords) intitle:"Index of".mysql_history See Google Hack Database for more queries.

15. EECS 4980/6980: Computer SecuritySlide #15 Domain Name Registration http://www.allwhois.com/ whois command –wildcard search: “ whois orgname. ” Contact names: email, phone, address DNS servers

16. EECS 4980/6980: Computer SecuritySlide #16 whois Domain Name: LORAINCCC.EDU Registrant: Lorain County Community College 1005 North Abbe Road Elyria, OH 44035-1691 Contacts: Administrative Contact: Jeff B. Hurd (440) 555-5555 nospam@lorainccc.edu Technical Contact: Norm D. Lease (440) 555-5556 nospam2@lorainccc.edu Name Servers: LC3MS1.LORAIN.CC.OH.USLC3MS1.LORAIN.CC.OH.US NS1.OAR.NET NS2.OAR.NET Domain record activated: 20-May-1996 Domain record last updated: 13-Aug-2002

17. EECS 4980/6980: Computer SecuritySlide #17 whois > host intel.com intel.com has address 198.175.96.33 > whois 198.175.96.33 [Querying whois.arin.net] [whois.arin.net] Intel Corporation NETBLK-INTEL-IT (NET-198-175-64-0-1) 198.175.64.0 - 198.175.123.255 Distributed Network Technical Support INTEL-IT33 (NET- 198-175-96-0-1) 198.175.96.0 - 198.175.96.255 # ARIN WHOIS database, last updated 2004-04-04 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.

18. EECS 4980/6980: Computer SecuritySlide #18 Threats Social Engineering –Pose as administrative contact via phone/email to gain information Wardialing –Search telephone exchange for modems Domain Hijacking –1998 redirect of aol.com to autonete.net Further network investigation –DNS queries –Network scans of IP address space

19. EECS 4980/6980: Computer SecuritySlide #19 DNS Zone Transfer List all DNS information for a domain –All hostnames with their IP addresses –MX records list mail servers and backups Commands –host –l –v –t any lorainccc.edu –nslookup set type=any ls –d lorainccc.edu Defences –ACL for zone xfers only f/ secondary DNS servers –Separate internal and external DNS databases

20. EECS 4980/6980: Computer SecuritySlide #20 Network Mapping DNS and whois searches have identified networks of interest. Next step: mapping the networks traceroute –explore network topology –identify firewalls ping scan –find currently up hosts

21. EECS 4980/6980: Computer SecuritySlide #21 traceroute > traceroute www.eng.utoledo.edu traceroute to green.eng.utoledo.edu (131.183.18.5), 30 hops max, 38 byte packets 1 pc_elan (10.17.0.1) 2 lc3gw2 (10.50.0.83) 3 gwlcc.lorainccc.edu (192.232.30.1) 4 oeb10-sl1-0-2-1c0.columbus.oar.net (199.18.112.49) 5 oebc1-gigeth5-0-0.columbus.oar.net (199.18.199.1) 6 tlp3-atm1-0.toledo.oar.net (199.18.202.53) 7 utoledo-atm2-0s53.toledo.oar.net (199.18.111.230) 8 131.183.252.222 (131.183.252.222) 9 uc7500.utoledo.edu (131.183.1.198) 10 cifshomedirs.eng.utoledo.edu (131.183.18.5)

22. EECS 4980/6980: Computer SecuritySlide #22 Network Diagramming traceroute to multiple internal hosts –identify different paths –identify firewalls that prevent traceroute Draw map of network based on traceroutes Helpful Tools firewalk: route tracing tool that bypasses many firewall configurations that stop traceroute neotrace: geographic map of network route

23. EECS 4980/6980: Computer SecuritySlide #23 Defences Firewalls –Restrict ingress of packet types commonly used for network mapping, e.g. ICMP. Detection –IDS can detect network mapping attempts, letting you know which IPs are mapping your network.

24. EECS 4980/6980: Computer SecuritySlide #24 Ping Scanning Send IP packet to each IP address in a network, checking for responses. Scan types –ICMP echo –TCP port 80 –TCP/UDP specific port –Fragmented packets

25. EECS 4980/6980: Computer SecuritySlide #25 Ping Scanning > nmap -sP 10.17.0.0/24 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-04-05 13:57 EDT Host pc_elan.lc3net (10.17.0.1) appears to be up. Host 10.17.0.31 appears to be up. Host 10.17.0.35 appears to be up. Host sun02 (10.17.0.55) appears to be up. Host sun09 (10.17.0.64) appears to be up. Host pc208p01 (10.17.0.66) appears to be up. Host sun14 (10.17.0.80) appears to be up. Host 10.17.0.241 appears to be up. Host 10.17.0.247 appears to be up. Nmap run completed -- 256 IP addresses (54 hosts up) scanned in 4.510 seconds

26. EECS 4980/6980: Computer SecuritySlide #26 Defences Firewalls –Refuse ICMP echo ingress. –Restrict TCP ports to necessary servers port 80 only to web server port 25 only to mail server Bypassing defences –Multiple sweeps with different target ports. –ICMP timestamp and netmask request queries. –Fragment scans.

27. EECS 4980/6980: Computer SecuritySlide #27 Ping Scan vs Firewall Firewall Ruleset –pass from any to 10.0.17.31 port 53 –pass from any to 10.0.17.35 port 25 –drop all > nmap -sP 10.17.0.0/24 Starting nmap 3.50 at 2004-04-05 13:57 Nmap run completed -- 256 IP addresses (0 hosts up) scanned in 72.430 seconds

28. EECS 4980/6980: Computer SecuritySlide #28 Ping Scan vs Firewall Firewall Ruleset –pass from any to 10.0.17.31 port 25 keep state –pass from any port 53 to any keep state –drop all > nmap -sP –PS25 10.17.0.0/24 –bypasses first rule, finds any hosts listening on port 25 > nmap -sP –g 53 10.17.0.0/24 –bypasses second rule, as packets look like DNS response

29. EECS 4980/6980: Computer SecuritySlide #29 Port Scanning Method of discovering exploitable communication channels by probing networked hosts to find which TCP and UDP ports they’re listening on.

30. EECS 4980/6980: Computer SecuritySlide #30 nmap TCP connect() scan > nmap -sT at204m02 (1645 ports scanned but not shown are in state: closed) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open https 515/tcp open printer 2049/tcp open nfs 4045/tcp open lockd 5432/tcp open postgres 5901/tcp open vnc-1 6000/tcp open X11 32775/tcp open sometimes-rpc13 Nmap run completed -- 1 IP address (1 host up) scanned in 43.846 seconds

31. EECS 4980/6980: Computer SecuritySlide #31 Scanning Techniques TCP connect() scan TCP SYN scan TCP FIN scan TCP Xmas scan TCP Null scan TCP ACK scan Fragmentation Scan FTP bounce scan Idle Scan UDP scan

32. EECS 4980/6980: Computer SecuritySlide #32 TCP connect() scan Use connect() system call on each port, following normal TCP connection protocol (3-way handshake). connect() will succeed if port is listening. Advantages: fast, requires no privileges Disadvantages: easily detectable and blockable.

33. EECS 4980/6980: Computer SecuritySlide #33 TCP SYN Scan Send SYN packet and wait for response –SYN+ACK Port is open Send RST to tear down connection –RST Port is closed Advantage: less likely to be logged or blocked Disadvantage: requires root privilege

34. EECS 4980/6980: Computer SecuritySlide #34 TCP FIN scan Send TCP FIN packet and wait for response –No response Port is open –RST Port is closed. Advantages: more stealthy than SYN scan Disadvantages: MS Windows doesn’t follow standard (RFC 793) and responds with RST in both cases, requires root privilege.

35. EECS 4980/6980: Computer SecuritySlide #35 Xmas and Null Scans Similar to FIN scan with different flag settings. Xmas Scan: Sets FIN, URG, and PUSH flags. Null Scan: Turns off all TCP flags.

36. EECS 4980/6980: Computer SecuritySlide #36 TCP ACK Scan Send TCP ACK packet to specified port –RST Port is unfiltered –No response or ICMP unreachable Port is filtered Used to determine if firewall is simple packet filter that blocks incoming SYN packets or whether it’s a stateful firewall.

37. EECS 4980/6980: Computer SecuritySlide #37 Fragmentation Scan Modify TCP stealth scan (SYN, FIN, Xmas, NULL) to use tiny fragmented IP datagrams. Advantages: increases difficulty of scan detection and blocking. Disadvantages: does not work on all Oses, and may crash some firewalls/sniffers.

38. EECS 4980/6980: Computer SecuritySlide #38 FTP Bounce Scan FTP protocol supports proxy ftp connections, allowing ftp client to request that a server send a file to any IP address. Advantages: bypass firewalls by using ftp server behind firewall as proxy for scans, hide identity of scanning host. Disadvantages: many ftp servers no longer support proxying.

39. EECS 4980/6980: Computer SecuritySlide #39 Idle Scan Use intermediate “idle” (zero traffic) host that increments the IP identification header by one for each packet sent. Connect to idle host to obtain IP id. Send SYN packet to port X of target host with spoofed IP of idle host. If port is open, target host will send SYN+ACK to idle host. Connect to idle host to obtain updated IP id –If IP id incremented, port X on target was open Advantage: no IP packets from your IP address

40. EECS 4980/6980: Computer SecuritySlide #40 UDP Scan Send 0-byte UDP packet to each UDP port –ICMP port unreachable Port is closed –Nothing Assume port is open (packet may be lost) Advantages: Can discover UDP services Disadvantages: Most hosts limit ICMP error rate to a small number of packets/second (RFC 1812), making UDP scans of all 65535 ports very slow. –MS Windows doesn’t implement rate limiting.

41. EECS 4980/6980: Computer SecuritySlide #41 Version Scanning Port scanning reveals which ports are open –Guess services on well-known ports. How can we do better? –Find what server: vendor and version –telnet/netcat to port and check for banner –Version scanning

42. EECS 4980/6980: Computer SecuritySlide #42 Banner Checking > nc brahms.eecs.utoledo.edu 80 GET / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Tue, 06 Apr 2004 14:45:35 GMT Server: Apache/2.0.46 (Unix) PHP/4.3.2 Content-Length: 325 Connection: close Content-Type: text/html; charset=iso-8859-1 400 Bad Request … Apache/2.0.46 (Unix) PHP/4.3.2 Server at brahms.eecs.utoledo.edu Port 80

43. EECS 4980/6980: Computer SecuritySlide #43 Version Scanning 1.If port is TCP, open connection. 2.Wait for service to identify self with banner. 3.If no identification or port is UDP, 1.Send probe string based on well-known service. 2.Check response against db of known results. 4.If no match, test all probe strings in list.

44. EECS 4980/6980: Computer SecuritySlide #44 nmap version scan > nmap -sV at204m02 (The 1645 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99) 80/tcp open http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2) 111/tcp open rpcbind 2-4 (rpc #100000) 443/tcp open ssl/http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2) 515/tcp open printer? 2049/tcp open nfs 2-3 (rpc #100003) 4045/tcp open nlockmgr 1-4 (rpc #100021) 5432/tcp open postgres? 5901/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11? 32775/tcp open status 1 (rpc #100024)

45. EECS 4980/6980: Computer SecuritySlide #45 Defences Detection –Network Intrusion Detection Systems. –Port scans often have distinct signatures. –NIDS can react to scan by blocking IP address. Prevention –Disable unnecessary services. –Filter packets entering network. –Filter packets on each host.

46. EECS 4980/6980: Computer SecuritySlide #46 OS Fingerprinting Identify OS by specific features of its TCP/IP network stack implementation. –Explore TCP/IP differences between OSes. –Build database of OS TCP/IP fingerprints. –Send set of specially tailored packets to host –Match results to identical fingerprint in db to identify operating system type and version. Xprobe uses fuzzy matching techniques.

47. EECS 4980/6980: Computer SecuritySlide #47 nmap OS fingerprint examples > nmap –O at204m02... Device type: general purpose Running: Sun Solaris 8 OS details: Sun Solaris 8 Uptime 10.035 days (since Sat Mar 27 08:59:38 2004) > nmap –O 10.17.0.1 … Device type: router Running: Bay Networks embedded OS details: Bay Networks BLN-2 Network Router or ASN Processor revision 9

48. EECS 4980/6980: Computer SecuritySlide #48 OS Fingerprinting Techniques FIN probe –RFC 793 requires no response –MS Windows, BSDI, Cisco IOS send RST Bogus flag probe –Bit 7 of TCP flags unused –Linux <2.0.35 keeps flag set in response TCP ISN sampling –Different algorithms for TCP ISNs IP Identification –Different algorithms for incrementing IPID

49. EECS 4980/6980: Computer SecuritySlide #49 OS Fingerprinting Techniques TCP Timestamp –Is it supported, and if so, at what rate is it incremented? Don’t Fragment bit –Some OSes send packets with Don’t Fragment set. TCP initial window size –Some OSes use unique initial window sizes. ACK value –Most OSes return ISN on FIN+PSH+URG packet, but some return ISN+1

50. EECS 4980/6980: Computer SecuritySlide #50 OS Fingerprinting Techniques Fragmentation Handling –Does first or second fragment of packet broken into overlapping fragments take precedence? TCP Options –Does OS support all options? –Which options does OS set on reply? –What is the order of options and where is NOP padding added?

51. EECS 4980/6980: Computer SecuritySlide #51 OS Fingerprinting Techniques Denial of Service attack –Launch DOS attacks in order from oldest to newest, checking for which ones succeed. –OSes have different levels of protection against DOS attacks depending on type and version.

52. EECS 4980/6980: Computer SecuritySlide #52 Passive Fingerprinting Identify OSes of hosts on network by sniffing packets sent by each host. Use similar characteristics as active technique: –TTL –MSS –Initial Window Size –Don’t Fragment bit Tools: p0f

53. EECS 4980/6980: Computer SecuritySlide #53 Fingerprinting Defences Detection –NIDS Blocking –Firewalling –Some probes can’t be blocked. Deception –IPpersonality changes Linux TCP/IP stack signature to that of another OS in nmap db.

54. EECS 4980/6980: Computer SecuritySlide #54 Key Points Reconnaissance –Don’t forget about low tech means. –Organizations give away more information than most expect. Port Scanning –Find more than just ports: versions, OSes. –TCP/IP implementation differences provide much useful data.

55. EECS 4980/6980: Computer SecuritySlide #55 References 1.Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 2.William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, 2003. 3.Fyodor, “The Art of Port Scanning,” http://www.insecure.org/nmap/nmap_doc.html http://www.insecure.org/nmap/nmap_doc.html 4.Fyodor, NMAP man page, http://www.insecure.org/nmap/data/nmap_manpage.html http://www.insecure.org/nmap/data/nmap_manpage.html 5.Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting- article.html 6.Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3 rd edition, O’Reilly & Associates, 2003. 7.Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004. 8.Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3 rd edition, McGraw-Hill, 2001. 9.Ed Skoudis, Counter Hack, Prentice Hall, 2002.