Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Guide to Network Defense and Countermeasures Second Edition
1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
System Security Scanning and Discovery Chapter 14.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
Port Scanning.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 
Ana Chanaba Robert Huylo
Guide to TCP/IP, Third Edition
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Chapter 6: Packet Filtering
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CIS 450 – Network Security Chapter 3 – Information Gathering.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 CSCD434 Lecture 8 Spring 2014 Scanning Activities Network Mapping and Scanning.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Guide to Network Defense and Countermeasures Chapter 9.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Linux Networking and Security
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Chapter 9 Firewalls. The Need for Firewalls Putting a Web server on the Internet without a firewall is dangerous –Remember in CNIT 123 how a firewall.
1 CSCD434 Lecture 7 Spring 2012 Scanning Activities Network Mapping and Scanning.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
DoS/DDoS attack and defense
Hands-On Ethical Hacking and Network Defense
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Telecommunications Networking II Lecture 41d Denial-of-Service Attacks.
Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Port Scanning James Tate II
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CIT 480: Securing Computer Systems
Introduction to Networking
Network hardening Chapter 14.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance LAB Department of Communication Engineering National Chung Cheng University Chia-Yi, Taiwan, ROC Mike

Information Networking Security and Assurance Lab National Chung Cheng University Network Mapping Focus on IP-based computer systems. Map out your network infrastructure.  Mapping and scanning your Internet gateway, including DMZ systems, such as Web, mail, FTP, and DNS sever.  Mapping and scanning your internal network. Server Firewall? INTERNET INTERNAL NETWORK? BORDER ROUTER?

Information Networking Security and Assurance Lab National Chung Cheng University Network Mapping Techniques Finding live hosts Tracing your network topology

Information Networking Security and Assurance Lab National Chung Cheng University Finding Live Hosts  ICMP ping Ping all possible addresses to determine which ones have active hosts Ping, using an ICMP Echo Request packet ICMP packet ICMP Echo Request packet Attacker Victim

Information Networking Security and Assurance Lab National Chung Cheng University Traceroute Tracerouting relies on the Time-To-Live(TTL) If the TTL is zero,the router sends back an ICMP Time Exceeded message to the originator.

Information Networking Security and Assurance Lab National Chung Cheng University Traceroute ROUTER TTL = 1 TTL = 2 Time exceeded

Information Networking Security and Assurance Lab National Chung Cheng University Cheops Developing a network inventory and topology using ping and traceroute Runs on Linux

Information Networking Security and Assurance Lab National Chung Cheng University Defenses against Network Mapping Filter  Firewalls and packet-filtering capabilities of your routers  Stop ICMP Time Exceeded messages leaving your network

Information Networking Security and Assurance Lab National Chung Cheng University Using port scanners Analyzing which ports are open  To know the addresses of live system  Have the basic understanding of your network TCP/IP stack has 65,535 TCP/UDP ports RFC 1700, Assigned Numbers

Information Networking Security and Assurance Lab National Chung Cheng University Using port scanners Ports like doors on each of machines Port scan knock on each door to see if anyone is listening behind it  Someone behind the door, get a response  No one behind the door, no answer back

Information Networking Security and Assurance Lab National Chung Cheng University Free port-scanning tools  Nmap (  Strobe (packetstorm.securify.com/UNIX/scanners/)  Ultrascan, a Windows NT port scanner, (packetstorm.securify.com/UNIX/scanners)

Information Networking Security and Assurance Lab National Chung Cheng University Nmap What type of packets does the scanning system send  TCP Connect, TCP SYN, TCP FIN, … Some types could cause the target system to become flooded or even crash

Information Networking Security and Assurance Lab National Chung Cheng University Types of Nmap Scans Legitimate TCP connections established using a three-way handshake SYN with ISN A ACK ISN A and SYN with ISN B ACK ISN B Connection Attacker Victim

Information Networking Security and Assurance Lab National Chung Cheng University TCP ACK Scans Packet Filter Device SYN-ACK SYN Allow outgoing traffic and the established responses SYN Block incoming traffic if the SYN packet is set EXTERNAL NETWORK INTERNAL NETWORK

Information Networking Security and Assurance Lab National Chung Cheng University TCP ACK Scans Packet Filter Device RESET ACK dest port 1024 Aha! I know port 1026 is open through the firewall EXTERNAL NETWORK INTERNAL NETWORK ACK dest port 1025 ACK dest port 1026

Information Networking Security and Assurance Lab National Chung Cheng University FTP Bounce Scans FTP Control Connection FTP Server supporting FTP forwarding Victim to be scanned “open data connection to send file to victim on port 1.” “…port 2”etc.,etc.

Information Networking Security and Assurance Lab National Chung Cheng University How to avoid FTP Bounce Scans Make sure that your FTP sever does not support this bounce capability Checking your FTP sever (

Information Networking Security and Assurance Lab National Chung Cheng University Standard FTP Control and Data Connections Active type FIREWALL FTP Control Connection TCP destination port 21 FTP Data Connection TCP destination port 20 Internal FTP ClientExternal FTP Server Standard FTP Control and Data Connections

Information Networking Security and Assurance Lab National Chung Cheng University FTP Bounce Scans Makes standard FTP harder for router and firewalls to handle. FIREWALL Src port = 20 Dst port = 1024 Src port = 20 Dst port = 1025 Src port = 20 Dst port = 1026 Duh … I ’ ll let in that incoming FTP data connection. Server Client Data Connections

Information Networking Security and Assurance Lab National Chung Cheng University Defenses against Port Scanning Harden your system  Close all unused ports.  Minimizes all services and tools installed. Find the openings before the attackers do Stateful inspection  Remembers all outgoing SYNs in a connection table  Check incoming packets against ACK scans.

Information Networking Security and Assurance Lab National Chung Cheng University How Firewalk Works ROUTER TTL = 1 TTL = 2 Time exceeded Packet Filter Firewall TTL = 3 Time exceeded External IP = ATTACKER Firewalk discovery phase counts the number of hops to the firewall

Information Networking Security and Assurance Lab National Chung Cheng University Determining Firewall Filter Rules with Firewalk ROUTER TCP port 1, TTL = 4 Packet Filter Firewall Time exceeded External IP = ATTACKER TCP port 2, TTL = 4 TCP port 3, TTL = 4 Aha! TCP port 3 is unfiltered! Firewalk scanning phase determines open ports through the firewall

Information Networking Security and Assurance Lab National Chung Cheng University Firewalk Defenses Configured with a minimum set of ports allowed through it.

Information Networking Security and Assurance Lab National Chung Cheng University Firewalk Defenses To replace packet-filtering devices with proxy- based firewalls(proxies do not transmit TTL information)  Drawback: Lower performance By filtering out ICMP Time Exceed message leaving your network  Drawback: normal user and network administrators will not be able to traceroute

Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Scanning What’s vulnerability scanner Types of vulnerabilities  Common configuration errors.  Default configuration weaknesses.  Well-known system vulnerabilities.

Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Scanner User Configuration Tool Scanning Engine Knowledge Base of Current Active Scan Results Repository & Report Generation Vulnerability Database TARGETS A generic vulnerability scanner

Information Networking Security and Assurance Lab National Chung Cheng University The Nessus Architecture Client-server architecture  Client: user configuration tool and a results repository/report generation tool.  Server: vulnerabilities database, a knowledge base of the current active scan, and a scanning engine.

Information Networking Security and Assurance Lab National Chung Cheng University The Nessus Architecture Supports strong authentication, based on public key encryption. Supports strong encryption based on the twofish and ripemd algorithms. The most common use: running on a single machine.

Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Scanning Defense Close unused ports Keep systems patched Run the tools against your networks  Be careful with DoS(Denial-to-Server) and Password Guessing tests!  Be aware of limitations of vulnerability scanning tools.

Information Networking Security and Assurance Lab National Chung Cheng University Intrusion Detection System(IDS) All the scanning tools are noisy Tools can be detected by a network-based intrusion detection system (IDS) IDS listen for attacks and warn administrators of the attacker’s activities

Information Networking Security and Assurance Lab National Chung Cheng University How Intrusion Detection Systems Work Captures all data on the LAN. Sortthrough this data to determine if an actual attack is underway. Have a database of attack signatures. Match attack signatures in their database. When attacks discovered, the IDS will warn the administrator.

Information Networking Security and Assurance Lab National Chung Cheng University A Network-Based Intrusion Detection System NETWORK NETWORK IDS PROBE TCP port 23 TCP port 80 ATTACKER PROTECTED SERVER Port 23! Alert! Alert

Information Networking Security and Assurance Lab National Chung Cheng University IDS Evasion at the Network Level Fragment packets IDS must reassemble packets. However, different target systems have various inconsistencies in the way they handle fragments  Just use fragments  Send a flood of fragments  Fragment the packets in unexpected ways

Information Networking Security and Assurance Lab National Chung Cheng University The tiny fragment attack NETWORK IDS PROBE NETWORK ATTACKER PROTECTED SERVER Looks good to me … Fragment 1: Part of TCP Header Fragment 2: Rest of TCP Header with port number

Information Networking Security and Assurance Lab National Chung Cheng University A fragment overlap attack NETWORK IDS PROBE NETWORK ATTACKER PROTECTED SERVER Looks good to me … Fragment 1: Part of TCP packet for port 80 Fragment 2: My offset is xyz. Data contains part of TCP Header with port 23

Information Networking Security and Assurance Lab National Chung Cheng University Using FragRouter to evade IDS detection NETWORK IDS PROBE ATTACK SYSTEM Looks good to me … VICTIMFRAGROUTER Attack packets Attack fragments

Information Networking Security and Assurance Lab National Chung Cheng University Some of the Many Fragmentation Options Offered by FragRouter NameFlagHow the packets are mangled frag-1-F1Send data in ordered 8-byte IP fragments frag-2-F2Send data in ordered 24-byte IP fragments frag-3-F3Send data in ordered 8-byte IP fragments, with one fragment sent out of order tcp-1-T1Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte segments tcp-5-T5Complete TCP handshake, send data in ordered 2-byte segments, preceding each segment with a 1-byte null data segment that overlaps the latter half of it. This amounts to the forward- overlapping 2-byte segment rewriting the null data back to the real attack. tcp-7-T7Complete TCP handshake, send data in ordered 1-byte segments interleaved with 1-byte null segments for the same connection but with drastically different sequence numbers.

Information Networking Security and Assurance Lab National Chung Cheng University IDS Evasion Defenses Keep the IDS system up to Date Utilize Both Host-Based and Network-Based IDS

Information Networking Security and Assurance Lab National Chung Cheng University Referense Firewalk: k/firewalk-final.html Nessus:

Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Assessment tool

Information Networking Security and Assurance Lab National Chung Cheng University Description Nessus is a free, open source vulnerability scanner that provide a view of your networks as seen by outsiders.

Information Networking Security and Assurance Lab National Chung Cheng University Description Nessus also provide many kinds of detailed report that identifies the vulnerabilities and the critical issues that need to be corrected. Nessus Features:  Plugin-based  Exportable report

Information Networking Security and Assurance Lab National Chung Cheng University Structure

Information Networking Security and Assurance Lab National Chung Cheng University Step (I): install nessus Some way to install  lynx -source | sh dangerous  sh nessus-installer.sh Easy and less dangerous

Information Networking Security and Assurance Lab National Chung Cheng University Step (II): create nessusd account add the client user’s account The authentication method by password check Edit user’s right

Information Networking Security and Assurance Lab National Chung Cheng University Step (III): create nessusd account The authentication method by key change The key information of user

Information Networking Security and Assurance Lab National Chung Cheng University Step (V): Nessus client configuration The nessusd server’s address The open port number of nessusd Login user name User password Click on “Log in”

Information Networking Security and Assurance Lab National Chung Cheng University The scan range Avoid the detection by IDS Choice the scan tools

Information Networking Security and Assurance Lab National Chung Cheng University Input the target’s address

Information Networking Security and Assurance Lab National Chung Cheng University Nessus information Start the scan

Information Networking Security and Assurance Lab National Chung Cheng University the scan process Scanning

Information Networking Security and Assurance Lab National Chung Cheng University The export of the data(I) The target’s open port The resource of this security include know-how and the solution

Information Networking Security and Assurance Lab National Chung Cheng University The export of the data(II) Report in html with graphs Warning information

Information Networking Security and Assurance Lab National Chung Cheng University Summary Nessus is a powerful vulnerability assessment and port scanner

Information Networking Security and Assurance Lab National Chung Cheng University Reference Nessus 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.