Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is to figure out the rest of the network and its vulnerabilities.

Network Scanning and Enumeration The process of collecting information about computers (assets) available on a network by either by ◦ listening to network traffic, or ◦ probing the network by sending traffic and observing what traffic is returned as a result. ◦ E.g. scan looking for IP addresses (ping) ◦ Once you figure out what is there, then you can attack it appropriately  Scan for ports to see what services are available, and then apply appropriate exploits  Scan for user names and passwords, unused accounts, etc. 2

Port and Vulnerability Scanning Once you know a device is present, what are its vulnerabilities? ◦ Apply some programs to check all ports, looking for open ports  Some services running on certain ports have known vulnerabilities  qs/section-21.html qs/section-21.html  ◦ Or you can apply some programs that specifically look for vulnerabilities (combo of network, port and vulnerability scan) 3

Scanning Programs Tools used to identify what computers are active on a network, and which ports and services are available on each computer. ◦ Verify which IP addresses are active on a network  ping sweep ◦ Determine what services are available from each system  port scan  Note: port scanning may be illegal in some states Examples: ◦ nmap ( ◦ unicornscan ( ◦ superscan ( ◦ nessus ( ◦ fping ( hping ( 4

Caveat: tools have their own footprints - but not always “While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap. Much more common are non-RFC-compliant hosts that do not respond as they should to Nmap probes. FIN, NULL, and Xmas scans are particularly susceptible to this problem. Such issues are specific to certain scan types and so are discussed in the individual scan type entries.” “Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scanflags option allows you to design your own scan by specifying arbitrary TCP flags. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules!” 5

Different kinds of scans explained techniques.html techniques.html 6

Internet Control Message Protocol (ICMP) Allow servers to communicate with each other and report errors to ensure that network paths are working properly. ◦ The PING utility is based on the use of ICMP echo requests and echo replies. ◦ PING is used to verify whether another network host is accessible. 7

UDP Scanning (UDP Protocol) Sending UDP packets to a target host to determine what UDP ports are open. ◦ A sequence of packets is sent to a series of different UDP port numbers to test the availability of each port. ◦ If the UDP port is OPEN on the target host, no reply is sent. ◦ If the UDP port is NOT OPEN, an ICMP Destination Unreachable packet is sent in response to the probe. 8

TCP Scanning (TCP Protocol) Based on various features of TCP. Some of the features used for scanning and enumeration include: ◦ Opening a TCP connection (3-way handshake) ◦ Closing a TCP connection ◦ TCP connection reset ◦ TCP null scan 9

TCP 3-way handshake Used to establish a TCP connection. Packet sequence for 3-way handshake ◦ SYN segment - requests a connection (e.g., with a server) ◦ SYN-ACK - acknowledges the (client's) SYN information and provides the (server's) information for establishing the connection. ◦ ACK - acknowledges the (server's) information This process can be used to determine which TCP ports are open on a server. 10

Closing a TCP Connection Uses a modified 3-way handshake ◦ FIN - indicates that either host (e.g., Host B) has finished sending data and is ready to close the connection. ◦ ACK  Host A acknowledges receipt of the FIN.  Connection is "half-closed" at this point.  Host B transmits no more data. ◦ FIN  Host A indicates itis now ready to close the connection. ◦ ACK  Host B acknowledge's A's FIN.  The connection is closed when Host A receives the final ACK from Host B. 11

TCP Connection Reset Allows an application to disconnect from a connection in abnormal circumstances. Either host initiates by sending a TCP segment with the RST bit set. Receiving host immediately aborts the connection and informs the application program that a reset has occurred. 12

Some Types of TCP Port Scans SYN scan ◦ Send SYN packet ◦ If port closed, target responds with RST/ACK ◦ If port open, target responds with SYN/ACK  Sender sends RST/ACK to close connection Connect scan ◦ Similar to SYN scan – completes 3-way handshake ◦ Connection is established NULL scan ◦ Send packet will all flags OFF ◦ If destination port open, no response sent ◦ If destination port closed, RST packet sent 13

Enumeration The process of extracting information from a network: ◦ Resources or shares available on the network  Determine OS using fingerprinting/scanning ◦ User names or groups assigned on the network ◦ The last time a user logged on as well as his/her password Tools ◦ NBTscan ( ◦ NetScanTools Pro ( ) ◦ Hyena ( ◦ Finger ( ◦ IKE-Scan ( ) 14

Vulnerability Scanners Programs designed to search for and map systems to look for weaknesses in an application, computer or network. er er Tools ◦ nessus ( ) ◦ SAINT ( ◦ Microsoft Baseline Security Analyzer ( 15