Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CSCD434 Lecture 8 Spring 2014 Scanning Activities Network Mapping and Scanning.

Published byPatrick Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "1 CSCD434 Lecture 8 Spring 2014 Scanning Activities Network Mapping and Scanning."— Presentation transcript:

1 1 CSCD434 Lecture 8 Spring 2014 Scanning Activities Network Mapping and Scanning

2 Review Recall where we are going – Phases of Attack 1. Reconnaissance 2. Scanning Finding machines and services Vulnerability Scanning 3. Gaining Access – Attacks 4. Maintaining Access 5. Covering Tracks and Hiding

3 Assume Attacker is Serious In previous slide … Attacker is dedicated and serious Wants to access systems to make money Will dedicate time and resources to accomplish goals

4 Scanning After Reconnaissance (whois, google hacks, dig)‏ – What do Attackers Know? IP Addresses of network Domain names, Technical contact information Telephone numbers, Physical address Mail servers, possible operating systems servers

5 Scanning What more do they need before attacking? – Two Levels of Information 1. Map of your network, Network Mapping Ideally, location of every internal machine with sensitive information Company Data Bases, Critical servers, Intranet machines Firewalls, Intrusion Detection Systems, and Routers

6 Scanning 2. Services running on each host Port Scanning – Services and OS's Server services – DNS, Web, Mail, FTP, Database, – File Servers – NFS Operating Systems – Cisco, Windows, Vista, Linux, Mac others...

7 Scanning Why do we (hackers) need to identify computer Services?

8 8 Introduction to Port Scanning Port Scanning Finds out which services are offered by a host Identifies vulnerabilities Open services Identify a vulnerable port Launch an exploit Scan all ports Not just well-known ports Ping Scan Is the simplest scan to find out if the machine is even up

9 9 Introduction to Port Scanning Port scanning programs report Open ports Closed ports Filtered ports Best-guess assessment of which OS is running

10 Types of Port Scanning TCP SYN Scanning – “half open” scanning Sends a SYN packet to each remote port. Open ports respond with a SYN/ACK packet Closed ports usually respond with an RST packet. TCP FIN Scanning – Sends a FIN packet (normally sent to clear connection when conversation is finished)‏ Closed ports usually respond with an RST packet Open ports usually ignore FIN packets. UDP Scanning – more difficult than TCP since UDP services may not respond If a ICMP “port unreachable” message is received, however, it is an indication the service is NOT running.

11 Types of Port Scanning Fragmentation Scanning – break scan up into several smaller packets This may result in being able to hide the scan from firewalls and IDS. Relay or bounce scanning – send scan through another system (proxy or forwarding gateway)‏ May confuse/hide origin of attack Decoy scanning – send a large number of spoofed packets along with your real one So they hide the real scan

12 12 Examples of Scans

13 13 Normal TCP Handshake Client SYN  Server Client  SYN/ACKServer Client ACK  Server Client After this, you are ready to send data

14 14 SYN Port Scan Client SYN  Server Client  SYN/ACKServer Client RST  Server Client The server is ready, but the client decided not to complete the handshake

15 15 Types of Port Scans SYN scan more details Stealthy scan, because session handshakes are never completed Keeps it out of some log files Three states Closed Open Filtered Filtered means that firewall, filter, or other network obstacle is blocking port so that Nmap cannot tell whether it is open or closed

16 16 Types of Port Scans  Connect scan  Completes the three-way handshake  Not stealthy--appears in log files  Three states  Closed  Open  Filtered

17 17 Types of Port Scans NULL scan All packet flags are turned off Two results Closed ports reply with RST Open or filtered ports give no response

18 18 Types of Port Scans Ping Scan Simplest method sends ICMP ECHO REQUEST to the destination(s)‏ TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) Any response shows the target is up It is this one that is used mostly for Network Mapping Examples follow...

19 19 Network Mapping

20 20 Network Mapping Looking for... – Looking for critical hosts, routers, firewalls – If no prior knowledge, will begin by scanning machines that can be reached Web, Mail, Ftp, DNS servers – Probe systems trying to understand Internet perimeter – If internal knowledge, start scanning and mapping network

21 21 Network Mapping Can ping all possible hosts on your network using Nmap, http://www.insecure.org Reference Guide http://nmap.org/book/man.html Send an ICMP echo request – Looking for a response to a ping ICMP echo reply – What if ICMP messages are blocked? Could send TCP packets to commonly open ports Web - 80 or email - 25 $ nmap –PT80 192.168.0.1 <= TCP Ping Scan Use nmap to Find Hosts nmap -sP 192.168.0.1 <= Ping Scan

22 22 Network Mapping Other Mapping Programs Network Scanners Angry IP Scanner, http://www.angryziber.com/w/Home SuperScan http://www.foundstone.com/us/resources/proddesc/ superscan.htm – Free Windows utility fping http://www.fping.com Free Unix scanner

23 23 FPing Ping multiple IP addresses simultaneously Command-line tool Input: multiple IP addresses To enter a range of addresses -g option Input file with addresses -f option fping is meant to be used in scripts and its output is easy to parse

24 24 Fping on Ubuntu $ sudo apt-get install fping

25 25 Angry IP Scanner

26 26 Network Mapping Traceroute – Goes by TTL field in IP header – Map path to each computer, overlay results from each traceroute of target – Create a hypothetical network topology $ traceroute www.yahoo.com

27 27 Superscan 4.0 Traceroute of cs.uidaho.edu

28 28 Defense Against Network Mapping Use firewalls and packet filtering capabilities - routers or hosts At Internet Gateway, block incoming ICMP messages – Except for hosts meant to be public Web servers – Can configure filters to allow specific IP’s like your ISP to be able to send pings – Can filter ICMP Time Exceeded messages too – Limits attacker information but also network management too... why traceroute does not work at EWU!!!

29 29 Port Scanning More

30 30 Scanning Basics - Ports Each Machine TCP/IP stack has 65,536 TCP has 65,536 UDP ports Every Service connected to a port is a potential doorway into the machine for an attacker Attacker has list of official known port assignments – Internet Assigned Numbers Authority (IANA)‏ http://www.iana.org/assignments/port-numbers – Wikipedia List of same thing http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

31 31 Scanning Basics - Ports Port numbers are divided into three ranges: – Well Known Ports – 0 – 1023 Typically only for root or privileged processes – Registered Ports - 1024 – 49151 Registered known programs with IANA – Dynamic and/or Private Ports 49152 – 65535 Dynamic or ephemeral ports, assigned by programs for one-time connections – no known programs associated

32 32 Ports Only root-privileged programs are allowed to open the lower numbered ports, common programs: Examples ftp-data 20/udp ftp 21/tcp ssh 22/tcp telnet 23/tcp Time 37/tcp Time 37/udp Whois 43/tcp DNS 53/udp Web 80/tcp Imap 143/tcp

33 33 Ports A few ordinary programs which are registered... – shockwave2 1257/tcp – shockwave2 1257/udp – ingreslock 1524/tcp ingres – ingreslock 1524/udp ingres – orasrv 1525/tcp oracle – orasrv 1525/udp oracle – x11 6000-6063/tcp – X Window System x11 6000-6063/udp

34 34 Ports and Port Scan Signature Signature of a Port scan – What does it look like? Several packets to different destination ports from the same source within a “short period” of time. Send TCP SYN to a non-listening port Intrusion Detector like Snort can inform us that we have been port-scanned What should we get back if port closed?

35 Syn Scan

36 36 Scanning Program - Nmap TCP Ack Scan Use this scan to get by filtering rules Many firewalls will filter initiating TCP connections from the outside Filter out packets with just Syn bit set for an opening connection To avoid filtering, Nmap offers an Ack scan Sets Ack bit on packets and filter thinks its a response to an existing connection

37 ACK Scan in Wireshark Many fast Connection Attempts All have ACK bit set

38 38 Scanning Program - Nmap TCP Ack Scan – Nmap uses Ack scan to figure out which ports are allowed unfiltered traffic by the firewall – If get RST, means packet got through firewall, and port is open If no response, or ICMP port unreachable, -> Nmap marks port as filtered

39 39 Nmap ACK Scan Packet Filter Device ACK dsk Port 1024 ACK dsk Port 1025 ACK dsk Port 1026 ResetProtected SystemAttacker External NetworkInternal Network

40 40 Scanning Program - Nmap Nmap – Version scan – find hidden applications Smart administrators – Hide services behind odd port numbers – Or, applications can be run over other services like SSL – Penguin.ewu.edu ssh runs at 9090

41 41 Scanning Program - Nmap – Version scan How it works – Nmap starts with normal scan – Gathers list of open ports on a target – For TCP, completes the 3-way handshake, waits for application to present itself – Many do banners – Try to match banner to internal DB Nmap has – Why do we need to know application versions?

42 42 More Scanning OS Identity by Stack Fingerprinting Attacker needs to know OS and version Looking for way into system – What vulnerabilities does system have?

43 43 More Scanning OS Identity - Stack Fingerprinting How and why does this work? Nmap sends packets to various ports including: – Syn packets to open ports and closed ports – Null packet to both open and closed ports – Ack packet to closed and open ports Some implementations send RST in response Some send nothing and some send ICMP port unreachable Nmap includes a DB of different system responses Over 1000 platforms

44 Attacks 44 Nmap Examples nmap -v target.com Scans all TCP default ports on target.com; verbose mode nmap -sS -O target.com/24 First pings addresses in target network to find hosts that are up. Then scans default ports at these hosts; stealth mode (doesn’t complete the connections); tries to determine OS running on each scanned host nmap -sX -p 22,53,110,143 198.116.*.1-127 Sends an Xmas tree scan to the first half of each of the 255 possible subnets in the 198.116/16. Testing whether the systems run ssh, DNS, pop3, or imap nmap -v -p 80 *.*.2.3-5 finds all web servers on machines with IP addresses ending in.2.3,.2.4, or.2.5

45 45 Scanning Defenses What can you do against Scanning? – Close down all unnecessary ports Find them first netstat –nao | grep “LISTENING” in Windows XP – Shows listening ports and Process ID’s of listening processes Windows third party tools actually show more information Fport – www.foundstone.com OpenPorts http://diamondcs.com.au/consoletools/openports.php

46 Scanning Defenses Linux netstat –nap finds in-use ports and PID’s lsof –i shows all TCP/IP ports and associated files lsof -p [pid]

47 47 Defenses Against Scanning On-line scanners can help... For people who want to do an on-line scan their computers, there are several on-line sites http://www.auditmypc.com http://www.hackerwatch.org/probe http://www.dslreports.com/tools?r=341 Most do simple scans for obvious vulnerabilities

48 Etherape View Active Connections Etherape Is a graphical utility that allows you to see (in real-time) where connections are being made on your network, or between your network (or computer) and the Internet If you are experiencing unexpected network activity on your computer or LAN and wish to see where the activity is occurring, this is an easy tool to use http://etherape.sourceforge.net/

49 49 Scanning Defenses Once find all open ports – See if services are needed – If not, disable the service permanently Start->Run … services.msc Then, click service, click Stop and set its Startup type to Disabled

50 50 Scanning Defenses Linux continued – Disable services Comment out its line in /etc/inetd.conf If started by xindetd, delete file in /etc/xinetd.d/[service] chkconfig --list is another way to see services installed – Comes with Redhat, Mandrake and other Linux versions (not Ubuntu)‏, but can get it for Ubuntu – Can type chkconfig [service] off

51 51 Scanning Defenses Stateful Packet Filtering – Will keep track of existing connections Typically has a connection table TCP connections – Won’t allow ACK packets into the Network unless they belong to existing TCP conversation There must have been an earlier Syn packet For FTP, must have been a control connection set up already Cover this more in depth when we cover Firewalls

52 Summary Scanning will result in a list of live machines With a list of ports open or not And the services or programs running at the ports Next, identify vulnerabilities in running services Code or download exploits to gain access !!!!

53 53 The End Lab this week is Google Hacking Assignment is Reconnaissance

Download ppt "1 CSCD434 Lecture 8 Spring 2014 Scanning Activities Network Mapping and Scanning."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Nmap Experiment.

Nmap Experiment.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation.

1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google