Gathering Network & Host Information: Scanning & Enumeration
Port Scanning Well known ports Network Scanning Not designed to do testing through a firewall Only as smart as their database Vulnerability Scanning
1. Check for live systems 2. Check for open ports 3. Service identification 4. Banner Grabbing / OS Fingerprinting 5. Vulnerability scanning 6. Network Diagram 7. Prepare Proxies 8. Attack!
Ping Sweeps using an IP Ping Flood Tool Pinger, Friendly Pinger, WS_Ping_Pro, AngryIP Detecting Use an IDS or IPS
nmap: Free; Open Source (Zenmap: GUI) Ping sweeps: sends ICMP ECHO_REQUEST & TCP ACK Port scanning, service identification, IP address & OS detection Port states: Open, Closed, Unfiltered (10 min) Fport: identify unknown open ports and their associated applications
Lsof: ( l ist o pen f iles): Linux command -report a list of all open files and the processes that opened them Switches: -i: display the list of all network sockets -r: display the routing table -g: display multicast group membership information for IPv4 and IPv6 -i: display a table of all network interfaces
Netstat Displays protocol-related statistics and the state of current TCP/IP connections Switches: -a: show both listening and non-listening sockets -an: reported in numerical form -l: show only listening sockets -c: print routing information from the route cache -s: display summary statistics for each protocol
nmap scan types: TCP Connect: -sT XMAS tree scan: -sX SYN stealth scan: -sS Null scan: -sN Does not work on Windows systems ACK scan: -sA UDP scan: -sU Ex: Scan first 1024 ports: Nmap -sU -p Scan protocols in use: -vO Control timing: -T Paranoid, Sneaky, Polite, Normal, Aggressive, Insane
Full / Connect: Noisy; Most easily caught by IDS/IPS SYN: ½ Open; stealth; sends SYN, then RST XMAS: FIN, URG, PSH flags set - Doesn’t work on Windows FIN: FIN flag set NULL: no flags set; doesn’t work on Windows IDLE: uses a spoofed IP address Bounce Attack scanning: connect to an FTP server and request that server to start data transfer to the third system
SYN ACK PSH the system is forwarding the buffered data URG data in the packet must be processed quickly FIN data packet transaction has completed; no more transmission is required Uses reverse mapping: closed ports reply with RST, open ports ignore the probe RST the connection is being reset
NetScan Tools Pro Hping2 Icmpenum enumerate networks that have blocked ICMP Echo packets but failed to block timestamp or information packet supports spoofing and promiscuous listening for reply packets SNMP Scanner P0f : passive OS fingerprinting tool
NetCat (nc) Provides outbound and inbound connections for TCP and UDP ports. Provides special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters. A good port scanner. Contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data.
NetCat (nc) common switches nc –d: detach Netcat from the console. nc -l -p [port]: create a simple listening TCP port; adding u will put it in UDP mode. nc -e [program]: redirect stdin/stdout from a program. nc -z: port scanning. nc -g or nc -G: specify source routing flags. nc -t: Telnet negotiation nc -w [timeout]: set a timeout before Netcat automatically quits. nc -v: put Netcat into verbose mode
Bypasses normal network detection devices Tools ToneLoc THC-Scan PhoneSweep TeleSweep
Banner Grabbing (Windows) "HEAD / HTTP/1.0" Pressing enter twice, Adam gets the following results: C:\> cmd Microsoft Windows XP [Version ] (C) Copyright Microsoft Corp. C:\>pwdump pwd.txt
Banner Grabbing (Linux) for i in 'cat hostlist.txt' ;do nc -q 2 -v $i 80 < request.txt done [where, hostlist.txt file contains the list of IP addresses and request.txt is the output file] OS Fingerprinting Nmap & Queso Netcraft Web site that periodically polls Web servers to determine the operating system version and the Web-server software version; toolbar would notify a phishing attack
Additional Tools: Traceroute: measuring the route path and transit times of packets across an (IP) network Cheops: host/network discovery functionality as well as OS detection of hosts NeoTrace: shows you how packets get from your computer to another computer on the Internet by displaying all nodes between your computer and the trace target
Anonymizers Linux Proxy Server (IPChains, IPTables) Limitations of anonymizers Secure protocols (HTTPS), JavaScript, Plugins, ActiveX controls, Java applications Tunneling: Using a protocol for other than its intended purpose Ptunnel & Itunnel: use ICMP WinTunnel: uses TCP HTTPort, Tunneld, BackStealth
Gathering Usernames: hack SAM file; GetAcct Machine names: use null sessions Network resources: SuperScan Shares: net view command Services: SNMP port scanning Tools PsPasswd PsFile UserInfo
“Null” user has no username/password C:\> net use \\ \IPC$ “ “ /u: “ “\\ Admin SID: S ….-500 Guest SID: S … Port 135, 137, 139, 445 Countermeasure Disable SMB; Disable TCP port 139/445 Editing the registry key HKLM\SYSTEM\CurrentControlSet\Control \ LSA and adding the value RestrictAnonymous
Gathering information about host, routers, devices etc. by querying ‘Management Information Base’ (MIB). Used for remote monitoring and managing hosts, routers, and devices on a network SNMP version 3 provides data encryption for community strings
Tools: SNMPUtil, IP Network Browser, snmpwalk snmpwalk example: sysDescr.0 = STRING: "SunOS zeus.net.cmu.edu 4.1.3_U1 1 sun4m" sysObjectID.0 = OID: enterprises.hp.nm.hpsystem sysUpTime.0 = Timeticks: ( ) 17 days, 23:19:05 sysContact.0 = STRING: "" sysName.0 = STRING: "zeus.net.cmu.edu" sysLocation.0 = STRING: "" sysServices.0 = INTEGER: 72 Countermeasures: Disable SNMP Service Change default passwords (Public & Private) Implementing Access control list filtering
Tools Sam Spade, Host, Dis NSLOOKUP nslookup > server > set type = any > ls -d Windows Service Identifiers User2SID, SID2User, DumpSec, Enum
SOCKS: Optional proxy server protocol that uses sockets to keep track of individual connections Port 1080 IRC servers uses TCP, hence are a frequent target Port Redirection: Used to bypass port filtering rules at routers and firewalls Linux: Datapipe Windows: Fpipe
0 Echo Reply 3 Destination Unreachable 8 Echo Request 11 Time Exceeded 13 Timestamp Request 14 Timestamp Reply 15 Address mask request 17 Information request (obsolete)
TYPE 3 & CODE 13 a Network Administrator has prohibited communication with the server by using a firewall ICMP TYPE 3 and CODE 3 port unreachable message ICMP TYPE 3 and CODE 0 network unreachable error message ICMP TYPE 0 and CODE 0 ICMP echo reply message
Gathering information about a remote network protected by a firewall Requirements ICMP packets leaving the network should be allowed An attacker should know the IP address of a host located behind the firewall An attacker should know the IP address of the last known gateway before the firewall mid,54/topic,4062.msg19362/ mid,54/topic,4062.msg19362/ verify-acls-and-check-firewall-rule-sets/ verify-acls-and-check-firewall-rule-sets/