Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scanning and Spoofing Lesson 7. Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools.

Published byWinfred Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "Scanning and Spoofing Lesson 7. Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools."— Presentation transcript:

1 Scanning and Spoofing Lesson 7

2 Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools

3 Ping Sweep PING (Packet INternet Groper) A utility designed to determine whether or not a remote system is accessible. Using PING, attackers can send an ICMP echo request to every address within a range to determine which systems are “up and running” Every system that is up will respond with an echo reply, providing a list of potential targets

4 PING Sweeps Echo Request Unused Address 10.1.1.9 Attacker Target List Echo Request Unused Address 10.1.1.11 10.1.1.10 Echo Reply

5 PING Sweeps Less effective today than in the past Recent rise in DoS attacks which also use ICMP have resulted in administrators setting their systems to reject inbound ICMP echo requests. Can still be effective for insiders or attackers who have been able to penetrate at least one system. There are a number of different packages that can be downloaded that accomplish this type of scan.

6 Port Scanning A Port Scanner is a program that checks a computer’s TCP/IP stack for ports that are in the LISTEN state. There are 65,535 possible ports 1-1023 are considered “well known” 1024-49151 are called “registered ports” 49152-65,535 are dynamic or private ports RFC 793 defines how TCP will react to FIN, ACK, and SYN packets.

7 RFC 793 If the state is CLOSED (that is, Transmission Control Block does not exist) then all data in the incoming segment is discarded. An incoming segment containing a RESET (RST) is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment. If the state is LISTEN then first check for an RST, An incoming RST should be ignored. Second check for an ACK. Any acknowledgment is bad if it arrives on a connection still in the LISTEN state. An acceptable reset segment should be formed for any arriving ACK-bearing segment. Third check for a SYN, if the SYN bit is set, check the security. IF the security/compartment on the incoming segment does not exactly match the security/compartment in the TCB then send a reset and return.

8 Some Well-known ports Port NumberNetwork Service 20File Transfer Protocol (FTP) Data 21File Transfer Protocol (FTP) Control 23Telnet 25Simple Mail Transfer Protocol (SMTP) 53Domain Name Server (DNS) 79Finger 80World Wide Web (HTTP) 110Post Office Protocol – Version 3 443HTTPS

9 Port Scanning In a Port Scan, the system will attempt to connect to specific (or all) ports on the remote system to see which respond. Responding ports are considered “open” and the attacker can then attempt to exploit (especially known services on well-known ports). Large number of tools available to perform port scanning. nmap is one of the most popular tools that can perform a port scan.

10 Port Scanning Attacker Web server 80 79 82 81 80 Services List HTTP

11 Types of Port Scanning TCP SYN Scanning – “half open” scanning. Sends a SYN packet to each remote port. Open ports respond with a SYN/ACK packet. Closed ports usually respond with an RST packet. TCP FIN Scanning – Sends a FIN packet (normally sent to clear connection when conversation is finished). Closed ports usually respond with an RST packet. Open ports usually ignore FIN packets. UDP Scanning – often more difficult than TCP since UDP services will not respond. If an ICMP “port unreachable” message is received, however, it is an indication the service is NOT running. If the message is NOT received… Fragmentation Scanning – break scan up into several smaller packets. This may result in being able to hide the scan from firewalls and IDS. Relay or bounce scanning – send scan through another system (proxy or forwarding gateway), may confuse/hide origin of attack Decoy scanning – send a large number of spoofed packets along with your real one so they hide the real scan.

12 Vulnerability Scanning One approach to vulnerability scanning is to Use a port-scanning tool such as nmap to identify the OS and to log all listening ports May return something like –Linux Kernel 2.2 with ports 21, 25, 53, 80 listening What the ports are and what vulnerabilities that may exist in them is an exercise left up to the user. The purpose of a vulnerability scanner is to detect the presence of specific vulnerabilities Common components for vulnerability scanners Vulnerability data – information about known vulnerabilities, how knowledgeable is the tool? Scanning mechanism – the “guts” of the scanner, how accurate is the tool? Reporting mechanism – interface with user

13 Types of vulnerability scanners Commercial scanners: developed and sold by companies (e.g. ISS and Cisco). Due to development time, often lag freeware scanners. Freeware scanners: developed and released “in the community” General-purpose scanners: look for a wide range of vulnerabilities on a large number of operating systems and applications. Often used in a security audit. Application scanners: written to examine a specific application for vulnerabilities associated with it. Service scanners: Scanning tool used to examine a specific network service, such as WWW, for common vulnerabilities associated with that service. Specific vulnerability scanners: written to only check for a specific vulnerability.

14 Possible information from scanning Which systems are active What services are available/listening What operating system is in use Which version of an application is running Which users have an account on the system and which are active What the security configuration/settings are Whether certain patches have been installed Information about specific vulnerabilities Possibly whether a specific exploit will be successful

15 Ways to recognize scanning System log file analysis – look for multiple, short duration connections or connection attempts. Network traffic – monitor the volume of inbound and outbound network traffic. If you have established a profile of what is normal activity you will be able to recognize spikes in the activity level which may indicate scanning activity. Firewall and router logs – look for multiple rejections or access violations coming from the same source or group of sources. Intrusion detection systems – most IDS contain built-in methods for examining traffic to detect scanning attempts.

16 Defending against Scanning and its effects Block ports at your router/firewall. Block ICMP, including echo Create a DMZ Use bastion hosts/proxy servers Use NAT to hide private, internal IP addresses Remove default/sample materials Remove unnecessary services Restrict permissions Change default headers associated with services Keep applications and operating systems patched

17 SATAN (security tool)

18

19 Spoofing “a sophisticated technique of authenticating one machine to another by forging packets from a trusted source address.”

20 Types of Spoofing IP Spoofing – an attacker uses an IP address of another computer to acquire info. Email Spoofing – involves spoofing the from address of an email. Web Spoofing – a site may not be what it appears to be or what its url would imply it is. Non-technical Spoofing – concentrates on compromising the human element of a company.

21 IP Spoofing This may simply consist of forging the from address in an IP packet so it appears to have come from somewhere else. Often used to trick target machine into believing packet is coming from a host it trusts, thus getting the target machine to perform some task. To do appropriately it may involve sniffing, spoofing, and DoS attack

22 Two themes present in these definitions Trust “the relationship between machines that are authorized to connect to one another.” Authentication “the process those machines use to identify each other.” Generally these two have an inverse relationship: If a high degree of trust exists between two machines, the amount of authentication is low. If little trusts exists between the machines, a great deal of authentication is required.

23 Authentication and Trust Most common method of authentication is the userid/password combination. If a user on a local network wants to access another system on the local network, having to supply the password to log on is a nuisance. Consequently, a trusted relationship may be established where one local system will trust the other to have authenticated the user originally and will thus not require additional authentication. An example of this is the UNIX.rhosts and hosts.equiv files.

24 Trusted relationships in UNIX.rhosts file is used to establish a trusted relationship between machines. Used by rlogin, rsh, and rcp to determine which remote hosts and users are considered “trusted” and are allowed to access the host without supplying a password. rlogin (remote login), rsh (remote shell), rcp (remote copy) File consists of A host name, indicating that this user is trusted when accessing the system from the specified host, or A host name followed by a login name, which indicates that the listed login name is trusted when accessing the system from the specified host

25 .rhosts example If user1 had the following.rhosts file in their home directory (/home/user1/.rhosts) system2 system4 system5 user2 system2 user5 It would mean user1 could log in from system2 as user1 user1 could log in from system4 as user1 user1 could log in from system5 as user2 user1 could also log in from system2 as user5

26 /etc/hosts.equiv file example /etc/hosts.equiv are essentially equivalent to a system-wide.rhosts file and contain lines with hostnames. If system1 contained the /etc/hosts.equiv file: system2 system4 system5 It would indicate that any user on system2, system4, or system5 could log into system1 without having to supply a password. This assumes that an equivalent username exists on system1 as the one being used on the accessing system (i.e. system2, system4, or system5). A + in the /etc/hosts.equiv file says all systems trusted.

27 Authentication and UNIX Trusted relationships UNIX will base its trust decision, using the.rhosts or hosts.equiv files, on the IP address of the connecting system. But…. The IP address (and most other fields) of an IP header can be forged!!!

28 IP Spoofing on LAN Attacker Trusted System 1 Trusted System 2 Attacker This is System 1, Please send file A OK, here it is... Huh? I didn’t ask for that...

29 IP Spoofing on LAN Attacker Trusted System 1 Trusted System 2 Attacker This is System 1, Please send file A OK, here it is... DoS attack launched Attacker uses sniffer to grab file

30 IP Spoofing across the Internet Attacker Trusted System 1 Trusted System 2 Attacker This is System 1, Please add user X to your password file OK, I’ve done it DoS attack launched Login as user X

31 Spoofing In the preceding slides, the actions represented by the “OK, I’ve done it” or the “OK, here it is” lines may actually consist of a series of messages with appropriate responses. The attacker knows what the responses should be, so the attacker can send them, timed appropriately, to ensure the connection is maintained.

32 Blind spoofing In non-blind spoofing the response sent by the target machine can be observed (sniffed). In blind spoofing, the target’s responses can not be observed.

33 The steps of a spoofing attack Identify the target of the attack (a system with a trusted relationship with another). “Eliminate” (DOS attack) the host you wish to spoof. Forge the address of the host being spoofed in your packet to be sent to the target. Send the spoofed packet to the target Keep the connection active by guessing the correct sequence number used by the target machine.

34 Sequence numbers Used to acknowledge receipt of data. Remember 3-way handshake process Client sends TCP packet with an initial sequence number. Server responds with it’s own sequence number and an acknowledgement (ACK). The client acknowledges receipt by sending packet with server’s number plus one.

35 Guessing the sequence number For non-blind spoofing, no problem as you can see the responses. For blind spoofing: Contact the target and attempt several connections Target will respond with a sequence number for each Analyze the responses to determine the pattern the target uses for incrementing

36 Once you’ve succeeded… Attempt to secure a better connection Modify password file Modify hosts.equiv or.rhosts file Shut down spoofed connection (stop the DOS attack). Now log into the target host using new account or based on trusted relationship.

37 IP Spoofing Prevention Tips General rule of thumb: Don’t have any trusted relationships if you can help it. Don’t accept packets from outside of your network that claim to be originating from inside of your network.

38 Email Spoofing Similar email address – some may not consider this real spoofing Register email address at site such as hotmail that is similar to target’s email address e.g. if target is John.Doe@abc.com, register John.Doe@hotmail.comJohn.Doe@abc.com John.Doe@hotmail.com Modify mail client – some will allow you to modify what will be put in the From line. Telnet to Port 25 – allows you to completely specify From line Attacker acts like mail server connected to port

39 Web Spoofing Basic web spoofing – register domain name similar to target’s name Man-in-the-Middle attacks – attacker positions himself so all traffic to target goes through him. (e.g. compromise router) Won’t be able to read encrypted traffic but plenty goes unencrypted. URL rewriting – change url’s on target to point to attacker which then redirects.

40 Non-Technical Spoofing Social engineering – call target and pretend to be somebody else (e.g. call help desk as new user) Reverse social engineering – generally harder to accomplish. Get somebody to call you (e.g. send target users a post card congratulating them on purchase of new computer, promise them 5 hours of free tech support and provide them a number— yours—to call)

41 Summary Scanning Spoofing Adversary Uses

Download ppt "Scanning and Spoofing Lesson 7. Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google