1 Lab 1: Reconnaissance, Network Mapping, and Vulnerability Assessment Reconnaissance Scanning Network Mapping Port Scanning OS detection Vulnerability.

Slides:



Advertisements
Similar presentations
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Advertisements

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Computer Security Fundamentals
Nmap Experiment.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
System Security Scanning and Discovery Chapter 14.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
Computer Security and Penetration Testing
Penetration Testing.
Port Scanning.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Ana Chanaba Robert Huylo
SCSC 555 Frank Li.  Port scanning  Port-scanning tools  Ping sweeps 2.
 Find out initial information ◦ Open Source ◦ Whois ◦ Nslookup  Find out address range of the network ◦ ARIN (American registry for internet numbers)
Information Gathering Lesson 4. Steps for Gathering Information Find out initial information Open Source Whois Nslookup Find out address range of the.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
CIS 450 – Network Security Chapter 3 – Information Gathering.
1 CSCD434 Lecture 8 Spring 2014 Scanning Activities Network Mapping and Scanning.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Trinity Uses Nmap, shouldn’t you?. From “The Art of War” "... knowing your enemy 100% of the time, you will win your battle 100% of the time, knowing.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Assessing a Target System Source: Chapter 3 Computer Security Fundamentals Chuck Easttom Prentice Hall, 2006.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.
Introduction A security scanner is a software which will audit remotely a given network and determine whether bad guys may break into it,or misuse it.
1 CSCD434 Lecture 7 Spring 2012 Scanning Activities Network Mapping and Scanning.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Retina Network Security Scanner
Footprinting and Scanning
17 Establishing Dial-up Connection to the Internet Using Windows 9x 1.Install and configure the modem 2.Configure Dial-Up Adapter 3.Configure Dial-Up Networking.
Hands-On Ethical Hacking and Network Defense
Network Reconnaissance CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
Scanning.
Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture.
 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.
Monitoring Dynamic IOC Installations Using the alive Record Dohn Arms Beamline Controls & Data Acquisition Group Advanced Photon Source.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Port Scanning James Tate II
Footprinting and Scanning
CITA 352 Chapter 5 Port Scanning.
Port Scanning (based on nmap tool)
Information Gathering
Footprinting and Scanning
Presentation transcript:

1 Lab 1: Reconnaissance, Network Mapping, and Vulnerability Assessment Reconnaissance Scanning Network Mapping Port Scanning OS detection Vulnerability assessment

ECE Internetwork Security 2 Reconnaissance Internet Network Information Center who-is database Registrar’s database i.e. American Registry for Internet Numbers (ARIN) Domain Name System (DNS) nslookup

ECE Internetwork Security 3 Reconnaissance After Recon, it is possible to know detailed information about a potential target This information includes specific IP addresses and ranges of addresses that may be further probed.

ECE Internetwork Security 4 Scanning Objective 1: Network Mapping Why: To determine what the network looks like logically. How: Manually using tools like ping, traceroute, tracert, or with tools like Cheops network mapping tool

ECE Internetwork Security 5 Scanning Objective 2: Port Scanning Why: To find open ports in order to exploit them. How: TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send RESET, target system will not record connection, also faster than TCP connect scan TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing (Windows does not respond to these scans)

ECE Internetwork Security 6 Scanning TCP ACK Scan -- may be useful to get past packet filters (believes it is a response to a request from inside firewall), if receive RESET, know this port is open through firewall FTP Bounce Scan -- request that server send file to a victim machine inside their network (most servers have disabled this service) UDP Scan -- unreliable, if receive ICMP Port Unreachable, assume closed, otherwise open Ping Sweep -- can use ICMP or TCP packets

ECE Internetwork Security 7 Scanning Additional objectives: Decoys -- insert false IP addresses in scan packets Ping Sweeps -- identify active hosts on a target network Find RPCs -- connect to each open port looking for common RPC services (send NULL RPC commands)

ECE Internetwork Security 8 Scanning Objective 3: Operating System Detection Why: To determine what Operating System is in use in order to exploit known vulnerabilities. Also known as TCP stack fingerprinting. Take advantage of ambiguity of how to handle illegal combinations of TCP code bits that is found in the RFCs. Each OS responds to illegal combinations in different ways. Determine OS by system responses.

ECE Internetwork Security 9 OS detection Window Size: Most Unix Operating Systems keep the window Size the same throughout a session. Windows Operating Systems tend to change the window size during a session. Time to Live: FreeBsd or Linux typically use 64, Windows Typically uses 128. Do Not Fragment Flag: Most OS leave set, OpenBSD leaves it unset.

ECE Internetwork Security 10 Nmap: Network Exploration Tool Purpose: “To allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.” Available at:

ECE Internetwork Security 11 Nmap: What does it do? Port scanning OS detection Ping sweeps

ECE Internetwork Security 12 Nmap: How does it work? UDP FIN TCP connect() ACK sweep TCP SYN (half open) Xmas Tree ftp proxy (bounce attack) SYN sweep Reverse-Identification IP Protocol ICMP (ping sweep) Null Scan Use the following Scan techniques :

ECE Internetwork Security 13 Nmap: How does it work? Uses the following OS detection techniques TCP/IP fingerprinting stealth scanning dynamic delay and retransmission calculations parallel scanning detection of down hosts via parallel pings decoy scanning port filtering detection direct (non-port mapper) RPC scanning fragmentation scanning flexible target and port specification.

ECE Internetwork Security 14 Scanning Vulnerability Assessment (1) Objective 4: Vulnerability Assessment Why: To determine what known (or unknown?) vulnerabilities exist on a given network Vulnerabilities come from: Default configuration weakness Configuration errors Security holes in applications and protocols Failure to implement patches!

ECE Internetwork Security 15 Vulnerability Assessment Vulnerability checkers use: Database of known vulnerabilities Configuration tool Scanning engine Knowledge base of current scan Report generation tool

ECE Internetwork Security 16 Scanning tool: Nessus Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.” Security Scanner: “A software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.” Available platforms: UNIX for client and server Windows for client only Available at:

ECE Internetwork Security 17 Nessus: What does it do? Iteratively tests a target system (or systems) for known exploitation vulnerabilities Uses a separate plug-in (written in C or Nessus Attack scripting Language) for each security test Can test multiple hosts concurrently Produces a thorough vulnerability assessment report at the conclusion of the vulnerability scan

ECE Internetwork Security 18 What does Nessus check for? Backdoors CGI abuses Denial of Service Finger abuses FTP Gain a shell remotely Gain root remotely Port scanners Remote file access RPC SMTP problems Useless services Windows and more...

ECE Internetwork Security 19 Scanning tool: Superscan4 (windows XP) Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.” Security Scanner: “Superior scanning speed, Support for unlimited IP ranges, Improved host detection using multiple ICMP methods, TCP SYN scanning, UDP scanning (two methods), IP address import supporting ranges and CIDR formats, Simple HTML report generation, Source port scanning, Fast hostname resolving, Extensive banner grabbing, Massive built-in port list description database, IP and port scan order randomization, A selection of useful tools (ping, traceroute, Whois etc),Extensive Windows host enumeration capability.”

ECE Internetwork Security 20 Lab Enhancements What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyx adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements. The lab addition section must start with the title “Lab Addition”, your addition subject title, and must start with a paragraph explaining at a high level what new concept may be learned by adding this to the existing laboratory assignment. After this introductory paragraph, add the details of your lab addition. Include the lab addition cover sheet from the class web site.

ECE Internetwork Security 21 Lab Enhancements Cover Sheet What new concept may be learned by adding this to the existing laboratory assignment? (Or what existing concept is better learned with this addition as opposed to what is in the existing lab assignment): What are the specific vulnerabilities this concept exploits and what are the defenses one can use against the vulnerabilities? Completion checklist: Did you an electronic copy of your laboratory addition to Henry within 24 hours after the class (and name the attachment Grx_Laby_Add.doc)? ________ Did you prepare a 5 minute in class presentation (which includes enough theory and results to educate your classmates on what you did and how you did it and discuss defenses) and that to Henry within 24 hours after the class (and name the attachment Grx_Laby_Add.ppt)? _______ Did you include proof that you got this working in our laboratory with our equipment? (Screen shots, output, etc)? ____________ Did you include references and attributes for all materials that you used? __________ Did you write your addition so that it does not require editing to cut and paste into the lab? ____ Did you include answers to all questions you ask in the addition (a solution sheet)? _______ In adding your new concepts/exercises did you include detailed lab instructions on where to get any software you may need, how to install it, how to run it, what exactly to do with it in our lab, example outputs proving that you got the enhancement to work in our lab? ___________ Did you include any theory/background and or fundamentals of the ideas and concepts behind this addition? _____________

ECE Internetwork Security 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.