Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance.

Similar presentations


Presentation on theme: "Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance."— Presentation transcript:

1 Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance LAB Department of Communication Engineering National Chung Cheng University Chia-Yi, Taiwan, ROC Mike

2 Information Networking Security and Assurance Lab National Chung Cheng University Network Mapping Focus on IP-based computer systems. Map out your network infrastructure.  Mapping and scanning your Internet gateway, including DMZ systems, such as Web, mail, FTP, and DNS sever.  Mapping and scanning your internal network. Server Firewall? INTERNET INTERNAL NETWORK? BORDER ROUTER?

3 Information Networking Security and Assurance Lab National Chung Cheng University Network Mapping Techniques Finding live hosts Tracing your network topology

4 Information Networking Security and Assurance Lab National Chung Cheng University Finding Live Hosts  ICMP ping Ping all possible addresses to determine which ones have active hosts Ping, using an ICMP Echo Request packet ICMP packet ICMP Echo Request packet Attacker Victim

5 Information Networking Security and Assurance Lab National Chung Cheng University Traceroute Tracerouting relies on the Time-To-Live(TTL) If the TTL is zero,the router sends back an ICMP Time Exceeded message to the originator.

6 Information Networking Security and Assurance Lab National Chung Cheng University Traceroute ROUTER TTL = 1 TTL = 2 Time exceeded

7 Information Networking Security and Assurance Lab National Chung Cheng University Cheops Developing a network inventory and topology using ping and traceroute Runs on Linux

8 Information Networking Security and Assurance Lab National Chung Cheng University Defenses against Network Mapping Filter  Firewalls and packet-filtering capabilities of your routers  Stop ICMP Time Exceeded messages leaving your network

9 Information Networking Security and Assurance Lab National Chung Cheng University Using port scanners Analyzing which ports are open  To know the addresses of live system  Have the basic understanding of your network TCP/IP stack has 65,535 TCP/UDP ports RFC 1700, Assigned Numbers

10 Information Networking Security and Assurance Lab National Chung Cheng University Using port scanners Ports like doors on each of machines Port scan knock on each door to see if anyone is listening behind it  Someone behind the door, get a response  No one behind the door, no answer back

11 Information Networking Security and Assurance Lab National Chung Cheng University Free port-scanning tools  Nmap ( www.insecure.org/Nmap)www.insecure.org/Nmap  Strobe (packetstorm.securify.com/UNIX/scanners/)  Ultrascan, a Windows NT port scanner, (packetstorm.securify.com/UNIX/scanners)

12 Information Networking Security and Assurance Lab National Chung Cheng University Nmap What type of packets does the scanning system send  TCP Connect, TCP SYN, TCP FIN, … Some types could cause the target system to become flooded or even crash

13 Information Networking Security and Assurance Lab National Chung Cheng University Types of Nmap Scans Legitimate TCP connections established using a three-way handshake SYN with ISN A ACK ISN A and SYN with ISN B ACK ISN B Connection Attacker Victim

14 Information Networking Security and Assurance Lab National Chung Cheng University TCP ACK Scans Packet Filter Device SYN-ACK SYN Allow outgoing traffic and the established responses SYN Block incoming traffic if the SYN packet is set EXTERNAL NETWORK INTERNAL NETWORK

15 Information Networking Security and Assurance Lab National Chung Cheng University TCP ACK Scans Packet Filter Device RESET ACK dest port 1024 Aha! I know port 1026 is open through the firewall EXTERNAL NETWORK INTERNAL NETWORK ACK dest port 1025 ACK dest port 1026

16 Information Networking Security and Assurance Lab National Chung Cheng University FTP Bounce Scans FTP Control Connection FTP Server supporting FTP forwarding Victim to be scanned “open data connection to send file to victim on port 1.” “…port 2”etc.,etc.

17 Information Networking Security and Assurance Lab National Chung Cheng University How to avoid FTP Bounce Scans Make sure that your FTP sever does not support this bounce capability Checking your FTP sever (www.cert.org/advisories/CA-1997-27.html)www.cert.org/advisories/CA-1997-27.html

18 Information Networking Security and Assurance Lab National Chung Cheng University Standard FTP Control and Data Connections Active type FIREWALL FTP Control Connection TCP destination port 21 FTP Data Connection TCP destination port 20 Internal FTP ClientExternal FTP Server Standard FTP Control and Data Connections

19 Information Networking Security and Assurance Lab National Chung Cheng University FTP Bounce Scans Makes standard FTP harder for router and firewalls to handle. FIREWALL Src port = 20 Dst port = 1024 Src port = 20 Dst port = 1025 Src port = 20 Dst port = 1026 Duh … I ’ ll let in that incoming FTP data connection. Server Client Data Connections

20 Information Networking Security and Assurance Lab National Chung Cheng University Defenses against Port Scanning Harden your system  Close all unused ports.  Minimizes all services and tools installed. Find the openings before the attackers do Stateful inspection  Remembers all outgoing SYNs in a connection table  Check incoming packets against ACK scans.

21 Information Networking Security and Assurance Lab National Chung Cheng University How Firewalk Works ROUTER TTL = 1 TTL = 2 Time exceeded Packet Filter Firewall TTL = 3 Time exceeded External IP = 10.1.1.1 ATTACKER Firewalk discovery phase counts the number of hops to the firewall

22 Information Networking Security and Assurance Lab National Chung Cheng University Determining Firewall Filter Rules with Firewalk ROUTER TCP port 1, TTL = 4 Packet Filter Firewall Time exceeded External IP = 10.1.1.1 ATTACKER TCP port 2, TTL = 4 TCP port 3, TTL = 4 Aha! TCP port 3 is unfiltered! Firewalk scanning phase determines open ports through the firewall

23 Information Networking Security and Assurance Lab National Chung Cheng University Firewalk Defenses Configured with a minimum set of ports allowed through it.

24 Information Networking Security and Assurance Lab National Chung Cheng University Firewalk Defenses To replace packet-filtering devices with proxy- based firewalls(proxies do not transmit TTL information)  Drawback: Lower performance By filtering out ICMP Time Exceed message leaving your network  Drawback: normal user and network administrators will not be able to traceroute

25 Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Scanning What’s vulnerability scanner Types of vulnerabilities  Common configuration errors.  Default configuration weaknesses.  Well-known system vulnerabilities.

26 Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Scanner User Configuration Tool Scanning Engine Knowledge Base of Current Active Scan Results Repository & Report Generation Vulnerability Database TARGETS A generic vulnerability scanner

27 Information Networking Security and Assurance Lab National Chung Cheng University The Nessus Architecture Client-server architecture  Client: user configuration tool and a results repository/report generation tool.  Server: vulnerabilities database, a knowledge base of the current active scan, and a scanning engine.

28 Information Networking Security and Assurance Lab National Chung Cheng University The Nessus Architecture Supports strong authentication, based on public key encryption. Supports strong encryption based on the twofish and ripemd algorithms. The most common use: running on a single machine.

29 Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Scanning Defense Close unused ports Keep systems patched Run the tools against your networks  Be careful with DoS(Denial-to-Server) and Password Guessing tests!  Be aware of limitations of vulnerability scanning tools.

30 Information Networking Security and Assurance Lab National Chung Cheng University Intrusion Detection System(IDS) All the scanning tools are noisy Tools can be detected by a network-based intrusion detection system (IDS) IDS listen for attacks and warn administrators of the attacker’s activities

31 Information Networking Security and Assurance Lab National Chung Cheng University How Intrusion Detection Systems Work Captures all data on the LAN. Sortthrough this data to determine if an actual attack is underway. Have a database of attack signatures. Match attack signatures in their database. When attacks discovered, the IDS will warn the administrator.

32 Information Networking Security and Assurance Lab National Chung Cheng University A Network-Based Intrusion Detection System NETWORK NETWORK IDS PROBE TCP port 23 TCP port 80 ATTACKER PROTECTED SERVER Port 23! Alert! Alert

33 Information Networking Security and Assurance Lab National Chung Cheng University IDS Evasion at the Network Level Fragment packets IDS must reassemble packets. However, different target systems have various inconsistencies in the way they handle fragments  Just use fragments  Send a flood of fragments  Fragment the packets in unexpected ways

34 Information Networking Security and Assurance Lab National Chung Cheng University The tiny fragment attack NETWORK IDS PROBE NETWORK ATTACKER PROTECTED SERVER Looks good to me … Fragment 1: Part of TCP Header Fragment 2: Rest of TCP Header with port number

35 Information Networking Security and Assurance Lab National Chung Cheng University A fragment overlap attack NETWORK IDS PROBE NETWORK ATTACKER PROTECTED SERVER Looks good to me … Fragment 1: Part of TCP packet for port 80 Fragment 2: My offset is xyz. Data contains part of TCP Header with port 23

36 Information Networking Security and Assurance Lab National Chung Cheng University Using FragRouter to evade IDS detection NETWORK IDS PROBE ATTACK SYSTEM Looks good to me … VICTIMFRAGROUTER Attack packets Attack fragments

37 Information Networking Security and Assurance Lab National Chung Cheng University Some of the Many Fragmentation Options Offered by FragRouter NameFlagHow the packets are mangled frag-1-F1Send data in ordered 8-byte IP fragments frag-2-F2Send data in ordered 24-byte IP fragments frag-3-F3Send data in ordered 8-byte IP fragments, with one fragment sent out of order tcp-1-T1Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte segments tcp-5-T5Complete TCP handshake, send data in ordered 2-byte segments, preceding each segment with a 1-byte null data segment that overlaps the latter half of it. This amounts to the forward- overlapping 2-byte segment rewriting the null data back to the real attack. tcp-7-T7Complete TCP handshake, send data in ordered 1-byte segments interleaved with 1-byte null segments for the same connection but with drastically different sequence numbers.

38 Information Networking Security and Assurance Lab National Chung Cheng University IDS Evasion Defenses Keep the IDS system up to Date Utilize Both Host-Based and Network-Based IDS

39 Information Networking Security and Assurance Lab National Chung Cheng University Referense Firewalk:http://www.packetfactory.net/Firewal k/firewalk-final.html Nessus:www.nessus.org

40 Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Assessment tool

41 Information Networking Security and Assurance Lab National Chung Cheng University Description Nessus is a free, open source vulnerability scanner that provide a view of your networks as seen by outsiders.

42 Information Networking Security and Assurance Lab National Chung Cheng University Description Nessus also provide many kinds of detailed report that identifies the vulnerabilities and the critical issues that need to be corrected. Nessus Features:  Plugin-based  Exportable report

43 Information Networking Security and Assurance Lab National Chung Cheng University Structure

44 Information Networking Security and Assurance Lab National Chung Cheng University Step (I): install nessus Some way to install  lynx -source http://install.nessus.org | sh dangerous  sh nessus-installer.sh Easy and less dangerous

45 Information Networking Security and Assurance Lab National Chung Cheng University Step (II): create nessusd account add the client user’s account The authentication method by password check Edit user’s right

46 Information Networking Security and Assurance Lab National Chung Cheng University Step (III): create nessusd account The authentication method by key change The key information of user

47 Information Networking Security and Assurance Lab National Chung Cheng University Step (V): Nessus client configuration The nessusd server’s address The open port number of nessusd Login user name User password Click on “Log in”

48 Information Networking Security and Assurance Lab National Chung Cheng University The scan range Avoid the detection by IDS Choice the scan tools

49 Information Networking Security and Assurance Lab National Chung Cheng University Input the target’s address

50 Information Networking Security and Assurance Lab National Chung Cheng University Nessus information Start the scan

51 Information Networking Security and Assurance Lab National Chung Cheng University the scan process Scanning

52 Information Networking Security and Assurance Lab National Chung Cheng University The export of the data(I) The target’s open port The resource of this security include know-how and the solution

53 Information Networking Security and Assurance Lab National Chung Cheng University The export of the data(II) Report in html with graphs Warning information

54 Information Networking Security and Assurance Lab National Chung Cheng University Summary Nessus is a powerful vulnerability assessment and port scanner

55 Information Networking Security and Assurance Lab National Chung Cheng University Reference Nessus  http://www.nessus.org http://www.nessus.org


Download ppt "Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance."

Similar presentations


Ads by Google