Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks Fall 2012.

Published byAlexia Simon Modified over 6 years ago

Similar presentations

Presentation on theme: "Networks Fall 2012."— Presentation transcript:

1 Networks Fall 2012

2 Review – Last Lecture Computer Crimes Ping Sweep Port Scan

3 Review - Ping Sweeping The first step in scanning is to determine which IP addresses in the network block are machines that are live hosts. This process can be done using the Internet Control Message Protocol (ICMP). ICMP was designed as a simple protocol to report network error conditions and supply basic network information. Unfortunately, ICMP can be used by hackers for network reconnaissance. ICMP is a particularly good protocol for identifying active IP addresses. Unlike the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), ICMP does not connect to a particular service on a given host, but rather attempts to contact the host operating system. Knowing the IP address of a host is enough to determine if the host is alive simply send it an ICMP echo request, a ping, and if it responds, you know the machine is alive. using ICMP to determine live hosts on a network is often termed ping sweeping

4 Review - Port Scan Methods
Port scanning can be subdivided in three groups: horizontal, vertical, and block scans A horizontal scan is a scan that queries a specific port on numerous machines. This is used when an exploit is known for a particular service and the hacker wants to know what machines are running this vulnerable service. An example would be scanning for the notoriously vulnerable ftp on port 21. a vertical scan will be used in which all the ports on a given host are queried. For example, if a hacker wants to alter the content of the CS web site, all ports on the web server would be scanned. a block scan is a combination of a vertical and horizontal scan. A block scan can determine the same information as an ICMP ping sweep (i.e., what machines are active in the network block), with the added benefit of determining the services running on the active hosts.

5 OUTLINE Computer Crimes Operating System Identification Firewalking

6 Computer Crimes

7 Crimes 1 A variant of the dangerous Bugbear worm, infected users around the world last week. Its predecessor displaced longtime record holder Klez at the top of the antivirus prevalence lists in October. Bugbear.B is a polymorphic file infector and can disable security software. It propagates via and network shares, and installs a keystroke logger and a remote access Trojan. Some vendors are reporting that the worm may the information gathered by the keystroke logger to the virus writer and that it may also spawn print jobs on network printers. Buried inside the worm is a list of domain names for banks around the world. When executed, the worm checks to see if any of the domain names match the system it's infecting. If Bugbear.B finds a match, it will keep infected banks' workstations always online. This ensures that the backdoor component is accessible at all times, which makes it easier to steal sensitive information. Bugbear.B was initially ranked as a low-level threat by most AV vendors, but has since climbed to the highest malware ratings.

8 Crimes 2 Cyberattacks worldwide hit record levels last month (May 2003), with more than three-quarters of successful breaches made against Linux-based systems an analysis of attacks the past three months--mainly to determine the digital impact of the Iraqi war--show compromised Linux-based systems accounted for a whopping 76 percent, or 19,208 breaches, between March and May. Microsoft's Windows-based systems, mainly IIS servers, were the victims of most other attacks the upswing in Linux attacks is attributed to misconfigured systems and the lack of standard security practices for online server management within the open-source community.

9 Crimes 3 A British man faces a two-year jail sentence after Canadian courts found him guilty of cyber-stalking a woman he had met in an internet chat room. Christopher Kell, 37, from Cumbria, England, pleaded guilty to stalking a Winnipeg woman by sending thousands of harassing s, letters and faxes after their relationship ended. The two met four years ago in an internet literature chat room and later met in person in Paris. She became pregnant with his child and went on to miscarry. The trial also revealed that Kell had sent nude photos of the woman to her family, an ex-lover, local businesses and two churches in her local community.

10 Operating System Identification

11 Stack Fingerprinting Once the hosts and port have been mapped by scanning the target network, the final footprinting step is to determine the operating system This step is sometimes called stack fingerprinting. The two primary methods used to fingerprint are banner grabbing and active stack fingerprinting. The general process is to send a query or packet to the target system and analyze its response because different OS have different responses

12 Banner Grabbing Some services can be used to identify an operating system. The TELNET service is the most notable example. If a system provides the TELNET service, just by telneting to the box and looking at the welcome banner we can, in most cases, identify the operating system: telnet Debian GNU/Linux 2.1 target.domain.com target login: Hint: turn off the banner or return a false one

13 Other Services Other services have banners that give the same information, for example the mail server: Sometimes after hitting Enter a few times, the banner is returned specifying the vendor and version of the service running on the port Some systems leak information when given incorrect or incomplete input: 220 target.domain.com ESMTP Sendmail 8.9.3/8.9.3/Debian/GNU; Thu, 28 Oct :56: telnet HTTP/ Bad Request Server: Microsoft-IIS/4.0 Date: Thu, 28 Oct :29:46 GMT Content-Type: text/html Content-Length: 87 get

14 Problems Banner grabbing is a simple but it has some drawbacks.
First, opening a telnet connection to many ports on many hosts can be time consuming. In addition, if many connections are established, an IDS may be able to draw a correlation between the connections and flag the traffic as potentially hazardous. Finally, a security-conscious network administrator will turn off banner presentation in the service software. If this is the case, determining the vendor and version of a service will be more difficult and may have to be inferred using other fingerprinting techniques.

15 Active Stack Fingerprinting
The second general method is called active stack fingerprinting This technique involves sending packets to services on a host and analyzing the TCP/IP stack behavior in returned packets. Because each OS vendor interprets the RFC standards for TCP/IP stack implementation differently, the OS can be determined based on knowledge of how different OS stacks respond to requests.

16 Examples 1 A FIN probe Bogus Flag probe
When a FIN packet is received, the receiving stack should terminate the connection but not respond to the sender. However, Windows NT machines respond with a FIN/ACK packet (as does HP-UX) Bogus Flag probe a SYN packet with an undefined flag set is sent to the targeted host. Machines running the Linux operating system with kernel prior to will keep the flag set in their response. Other operating systems will RESET the connection when getting this kind of probe. Head Length Reserved U A P R S F Receiver Window Size

17 Examples 2 TCP Initial Window ICMP Message Quoting
Some stack implementations have a unique initial window size on their returned packets. AIX for example is the only operating system using the 0x3F25 value. OpenBSD and FreeBSD use 0x402E ICMP Message Quoting ICMP error messages should quote a small amount of information from the ICMP message that caused the error. The information is quoted when the PORT UNREACHABLE message is received in the IP header + 8 bytes, with almost all the implementations. Solaris sends more information than is needed and Linux even more.

18 Using Nmap nmap is also the tool of choice for stack fingerprinting.
The –O option can be used with a host address and nmap will make an educated guess about the host OS. nmap uses an OS signature file called nmap-os-fingerprints to determine the OS. This file contains hundreds of OS idiosyncrasies that help increase the accuracy of nmap’s guesses.

19 Example Using nmap on shemp:

20 Problems Like banner grabbing, active stack fingerprinting has some drawbacks. Clearly, nmap will not be 100% accurate so a particular exploit for a specific service might fail In addition, IDS’s are becoming more aware of probes using bogus TCP flag combinations. Since nmap uses these when probing a host this activity may be more likely to be detected.

21 Firewalking

22 Firewalking Concept Firewalking is a technique used to gather information about a remote network protected by a firewall. The technique is being used for two purposes: Determining the rule set or ACL of a firewall or other packet-filtering device (mapping open ports on a firewall). Mapping a network behind a firewall. When a firewall’s policy is to drop ICMP ECHO Request/reply this technique is very effective.

23 How does Firewalking Work?
It involves using a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device. Since traceroute is dependent on the IP layer (TTL field), any transport protocol can be used the same way (TCP, UDP, and ICMP). For Firewalking we need two pieces of information in advance: The IP address of the last known gateway before the firewalling takes place The IP address of a host located behind the firewall. The first IP address serves as our waypoint. The second IP address is used as a destination to direct the packet flow

24 traceroute traceroute is a diagnostic tool originally written by Van Jacobson that lets you view the route that an IP packet follows from one host to the next. Traceroute uses the time-to-live (TTL) option in the IP packet to elicit an ICMP TIME_EXCEEDED message from each route Each router that handles the packet is required to decrement the TTL field. Thus, the TTL field effectively becomes a hop counter. traceroute may allow you to discover the network topology employed by the target network, in addition to identifying access control devices (application-based firewall or packet-filtering routers) that may be filtering traffic. The windows version is called tracert

25 Example A simple example run: traceroute Acme.net
traceroute to Acme.net ( ), 30 hops max, 40 byte packets 1 gate2 ( ) ms ms ms 2 rtr1.bigisp.net ( ) ms ms ms Typically, the hop before the target is a border router for the organization 3 rtr2.bigisp.net ( ) ms ms ms 4 hssitrt.bigisp.net ( ) ms ms ms 5 gate.Acme.net ( ) ms ms ms This might be the firewall

26 traceroute options 1 Most flavors of traceroute in UNIX default to sending User Datagram Protocol (UDP) packets, with the option of using Internet Control Messaging Protocol (ICMP) packets with the –I switch. In Windows NT, however, the default behavior is to use ICMP echo request packets. So, vary the use of each tool if the site blocks UDP vs. ICMP and vice versa. The –g option of traceroute that allows the user to specify loose source routing. if you believe the target gateway will accept source-routed packets (which is a cardinal sin), you might try to enable this option

27 traceroute options 2 Other switches may allow you to bypass access control devices during a probe. The –p n option of traceroute allows you to specify a starting UDP port number (n) that will be incremented by 1 when the probe is launched A traceroute patch adds the –S switch to stop port incrementation This allows you to force every packet we send to have a fixed port number, in the hopes that the access control device will pass this traffic. A good starting port number would be UDP port 53 (DNS queries) Since many sites allow inbound DNS queries, there is a high probability that the access control device will allow our probes through.

28 Example 2 Prior example: Try another machine
traceroute Acme.net traceroute to Acme.net ( ), 30 hops max, 40 byte packets 1 gate2 ( ) ms ms ms 2 rtr1.bigisp.net ( ) ms ms ms 3 rtr2.bigisp.net ( ) ms ms ms 4 hssitrt.bigisp.net ( ) ms ms ms 5 gate.Acme.net ( ) ms ms ms traceroute traceroute to ( ), 30 hops max, 40 byte packets 1 gate ( ) ms ms ms 2 rtr1.bigisp.net ( ) ms ms ms 3 rtr2.bigisp.net ( ) ms ms ms The firewall apparently blocks UDP probes Try another machine 4 hssitrt.bigisp.net ( ) ms ms ms 5 * * * 6 * * *

29 Example 3 Now send a probe with a fixed port of UDP 53, DNS queries:
traceroute -S -p traceroute to ( ), 30 hops max, 40 byte packets 1 gate ( ) ms ms ms 2 rtr1.bigisp.net ( ) ms ms ms 3 rtr2.bigisp.net ( ) ms ms ms It appears that probes to UDP 53 get through the firewall 4 hssitrt.bigisp.net ( ) ms ms ms ( ) ms ms ms

30 VisualRoute There is a more sophisticated version of traceroute that can be purchased from called visual route It’s the Cadillac of traceroute tools – visualroute provides not just router hop information but also geographic location, whois lookups, and web server banner information.

31 Example 1 Run visual route on

32 Example 2 Run visualroute on UPS: Run 1: ICMP Run 2: Set to send UDP

33 Xtraceroute Xtraceroute is a free package similar to visualroute
Can be found at:

Download ppt "Networks Fall 2012."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.

Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Examining IP Header Fields

Examining IP Header Fields
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Port Scanning.

Port Scanning.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
CIS 450 – Network Security Chapter 3 – Information Gathering.

CIS 450 – Network Security Chapter 3 – Information Gathering.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Similar presentations

Ads by Google