Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

Published byJack Rose Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology."— Presentation transcript:

1 1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology

2 2 Agenda Reconnaissance Scanning Network Mapping Port Scanning OS detection Vulnerability assessment

3 3 Reconnaissance Internet Network Information Center who-is database www.internic.net/whois.html Registrar’s database i.e. www.networksolutions.com www.networksolutions.com American Registry for Internet Numbers (ARIN) http://ww2.arin.net/whois/ Domain Name System (DNS) nslookup

4 4 Reconnaissance After Recon, it is possible to know detailed information about a potential target This information includes specific IP addresses and ranges of addresses that may be further probed.

5 5 Scanning Objective 1: Network Mapping Why: To determine what the network looks like logically. How: Manually using tools like ping, traceroute, tracert, or with tools like Cheops network mapping tool

6 6 Cheops-ng Created by Mark Spencer for Linux systems, available at http://www.marko.net/cheops/ Purpose: “To provide system administrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem.” This tool automates ping and traceroute.

7 7 Cheops-ng: What does it do? Finds active hosts in a network Determines the names of active hosts Discovers host operating systems Detects open ports Maps the complete network in a graphical format

8 8 Cheops-ng: How does it work? Utilizes ICMP “ping” packets to search a network for live hosts Domain Name Transfers (nslookup) are used to list hosts Invalid flags on TCP packets are used to detect the OS Half-open TCP connections are used to detect ports UDP packets with small TTL values are used to map network

9 9 Scanning Objective 2: Port Scanning Why: To find open ports in order to exploit them. How: TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send RESET, target system will not record connection, also faster than TCP connect scan TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing (Windows does not respond to these scans)

10 10 Scanning TCP ACK Scan -- may be useful to get past packet filters (believes it is a response to a request from inside firewall), if receive RESET, know this port is open through firewall FTP Bounce Scan -- request that server send file to a victim machine inside their network (most servers have disabled this service) UDP Scan -- unreliable, if receive ICMP Port Unreachable, assume closed, otherwise open Ping Sweep -- can use ICMP or TCP packets

11 11 Scanning Additional objectives: Decoys -- insert false IP addresses in scan packets Ping Sweeps -- identify active hosts on a target network Find RPCs -- connect to each open port looking for common RPC services (send NULL RPC commands)

12 12 Scanning Objective 3: Operating System Detection Why: To determine what Operating System is in use in order to exploit known vulnerabilities. Also known as TCP stack fingerprinting. Take advantage of ambiguity of how to handle illegal combinations of TCP code bits that is found in the RFCs. Each OS responds to illegal combinations in different ways. Determine OS by system responses.

13 13 OS detection Window Size: Most Unix Operating Systems keep the window Size the same throughout a session. Windows Operating Systems tend to change the window size during a session. Time to Live: FreeBsd or Linux typically use 64, Windows Typically uses 128. Do Not Fragment Flag: Most OS leave set, OpenBSD leaves it unset.

14 14 Nmap: Network Exploration Tool Purpose: “To allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.” Available at: http://www.insecure.org/nmap/http://www.insecure.org/nmap/

15 15 Nmap: What does it do? Port scanning OS detection Ping sweeps

16 16 Nmap: How does it work? UDP FIN TCP connect() ACK sweep TCP SYN (half open) Xmas Tree ftp proxy (bounce attack) SYN sweep Reverse-Identification IP Protocol ICMP (ping sweep) Null Scan Use the following Scan techniques :

17 17 Nmap: How does it work? Uses the following OS detection techniques TCP/IP fingerprinting stealth scanning dynamic delay and retransmission calculations parallel scanning detection of down hosts via parallel pings decoy scanning port filtering detection direct (non-port mapper) RPC scanning fragmentation scanning flexible target and port specification.

18 18 Scanning Vulnerability Assessment (1) Objective 4: Vulnerability Assessment Why: To determine what known (or unknown?) vulnerabilities exist on a given network Vulnerabilities come from: Default configuration weakness Configuration errors Security holes in applications and protocols Failure to implement patches!

19 19 Vulnerability Assessment Vulnerability checkers use: Database of known vulnerabilities Configuration tool Scanning engine Knowledge base of current scan Report generation tool

20 20 Scanning tool: Nessus Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.” Security Scanner: “A software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.” Available platforms: UNIX for client and server Windows for client only Available at: http://www.nessus.org/

21 21 Nessus: What does it do? Iteratively tests a target system (or systems) for known exploitation vulnerabilities Uses a separate plug-in (written in C or Nessus Attack scripting Language) for each security test Can test multiple hosts concurrently Produces a thorough vulnerability assessment report at the conclusion of the vulnerability scan

22 22 What does Nessus check for? Backdoors CGI abuses Denial of Service Finger abuses FTP Gain a shell remotely Gain root remotely Port scanners Remote file access RPC SMTP problems Useless services Windows and more...

23 23 Scanning tool: Superscan4 (windows XP) Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.” Security Scanner: “Superior scanning speed, Support for unlimited IP ranges, Improved host detection using multiple ICMP methods, TCP SYN scanning, UDP scanning (two methods), IP address import supporting ranges and CIDR formats, Simple HTML report generation, Source port scanning, Fast hostname resolving, Extensive banner grabbing, Massive built-in port list description database, IP and port scan order randomization, A selection of useful tools (ping, traceroute, Whois etc),Extensive Windows host enumeration capability.”

24

25 25 Summary Reconnaissance Scanning Network Mapping Port Scanning OS detection Vulnerability assessment

Download ppt "1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Nmap Experiment.

Nmap Experiment.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Similar presentations

Ads by Google