Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CSCD434 Lecture 7 Spring 2012 Scanning Activities Network Mapping and Scanning.

Published byMaximilian Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "1 CSCD434 Lecture 7 Spring 2012 Scanning Activities Network Mapping and Scanning."— Presentation transcript:

1 1 CSCD434 Lecture 7 Spring 2012 Scanning Activities Network Mapping and Scanning

2 Review Recall where we are going – Phases of Attack 1. Reconnaissance 2. Scanning Finding machines and services Vulnerability Scanning 3. Gaining Access – Attacks 4. Maintaining Access 5. Covering Tracks and Hiding

3 Scanning After Reconnaissance (whois, google hacks, dig)‏ – What do Attackers Know? IP Addresses of network Domain names, Technical contact information Telephone numbers, Physical address Mail servers, possible operating systems servers

4 Scanning What more do they need before attacking? – Two Levels of Information 1. Map of your network, Network Mapping Ideally, location of every internal machine with sensitive information Company Data Bases, Critical servers, Intranet machines Firewalls, Intrusion Detection Systems, and Routers

5 Scanning 2. Services running on each host Port Scanning – Services and OS's Server services – DNS, Web, Mail, FTP, Database, – File Servers – NFS Operating Systems – Cisco, Windows, Vista, Linux, Mac others...

6 Scanning Why do we (hackers) need to identify computer Services?

7 7 Introduction to Port Scanning Port Scanning Finds out which services are offered by a host Identifies vulnerabilities Open services Identify a vulnerable port Launch an exploit Scan all ports Not just well-known ports Ping Scan Is the simplest scan to find out if the machine is even up

8 8 Introduction to Port Scanning Port scanning programs report Open ports Closed ports Filtered ports Best-guess assessment of which OS is running

9 Types of Port Scanning TCP SYN Scanning – “half open” scanning Sends a SYN packet to each remote port. Open ports respond with a SYN/ACK packet Closed ports usually respond with an RST packet. TCP FIN Scanning – Sends a FIN packet (normally sent to clear connection when conversation is finished)‏ Closed ports usually respond with an RST packet Open ports usually ignore FIN packets. UDP Scanning – more difficult than TCP since UDP services may not respond If a ICMP “port unreachable” message is received, however, it is an indication the service is NOT running.

10 Types of Port Scanning Fragmentation Scanning – break scan up into several smaller packets This may result in being able to hide the scan from firewalls and IDS. Relay or bounce scanning – send scan through another system (proxy or forwarding gateway)‏ May confuse/hide origin of attack Decoy scanning – send a large number of spoofed packets along with your real one So they hide the real scan

11 11 Examples of Scans

12 12 Normal TCP Handshake Client SYN  Server Client  SYN/ACKServer Client ACK  Server Client After this, you are ready to send data

13 13 SYN Port Scan Client SYN  Server Client  SYN/ACKServer Client RST  Server Client The server is ready, but the client decided not to complete the handshake

14 14 Types of Port Scans SYN scan Stealthy scan, because session handshakes are never completed Keeps it out of some log files Three states Closed Open Filtered Filtered means that firewall, filter, or other network obstacle is blocking port so that Nmap cannot tell whether it is open or closed

15 15 Types of Port Scans  Connect scan  Completes the three-way handshake  Not stealthy--appears in log files  Three states  Closed  Open  Filtered

16 16 Types of Port Scans NULL scan All packet flags are turned off Two results Closed ports reply with RST Open or filtered ports give no response

17 17 Types of Port Scans Ping Scan Simplest method sends ICMP ECHO REQUEST to the destination(s)‏ TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) Any response shows the target is up It is this one that is used mostly for Network Mapping Examples follow...

18 18 Network Mapping

19 19 Network Mapping Looking for... – Looking for critical hosts, routers, firewalls – If no prior knowledge, will begin by scanning machines that can be reached Web, Mail, Ftp, DNS servers – Probe systems trying to understand Internet perimeter – If internal knowledge, start scanning and mapping network

20 20 Network Mapping Can ping all possible hosts on your network using Nmap, http://www.insecure.org Reference Guide http://nmap.org/book/man.html Send an ICMP echo request – Looking for a response to a ping ICMP echo reply – What if ICMP messages are blocked? Could send TCP packets to commonly open ports Web - 80 or email - 25 $ nmap –PT80 192.168.0.1 <= TCP Ping Scan Use nmap to Find Hosts nmap -sP 192.168.0.1 <= Ping Scan

21 21 Network Mapping Other Mapping Programs Network Scanners Angry IP Scanner, http://www.angryziber.com/w/Home SuperScan http://www.foundstone.com/us/resources/proddesc/ superscan.htm – Free Windows utility fping http://www.fping.com Free Unix scanner

22 22 FPing Ping multiple IP addresses simultaneously Command-line tool Input: multiple IP addresses To enter a range of addresses -g option Input file with addresses -f option fping is meant to be used in scripts and its output is easy to parse

23 23 Fping on Ubuntu $ sudo apt-get install fping

24 24 Network Mapping Traceroute – Goes by TTL field in IP header – Map path to each computer, overlay results from each traceroute of target – Create a hypothetical network topology $ traceroute www.yahoo.com – Automated tool can do this Cheops-ng – runs on Linux http://cheops-ng.sourceforge.net/

25 25 Network Mapping Special traceroute type tool – Cheops-ng Uses ping and traceroute Does OS fingerprinting and has both FTP and SSH clients Plus builds a very nice network map complete with hosts and routes to each host on the network

26 26 Cheops-ng

27 27 Cheops-ng OS Detection: Cheops can optionally determine the OS of hosts on the network, selecting appropriate icons for them.

28

29 29 Superscan 4.0 Traceroute of cs.uidaho.edu

30 30 Defense Against Network Mapping Use firewalls and packet filtering capabilities - routers or hosts At Internet Gateway, block incoming ICMP messages – Except for hosts meant to be public Web servers – Can configure filters to allow specific IP’s like your ISP to be able to send pings – Can filter ICMP Time Exceeded messages too – Limits attacker information but also network management too... why traceroute does not work at EWU!!!

31 31 Port Scanning

32 32 Scanning Basics - Ports Each Machine TCP/IP stack has 65,536 TCP has 65,536 UDP ports Every Service connected to a port is a potential doorway into the machine for an attacker Attacker has list of official known port assignments – Internet Assigned Numbers Authority (IANA)‏ http://www.iana.org/assignments/port-numbers – Wikipedia List of same thing http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

33 33 Scanning Basics - Ports Port numbers are divided into three ranges: – Well Known Ports – 0 – 1023 Typically only for root or privileged processes – Registered Ports - 1024 – 49151 Registered known programs with IANA – Dynamic and/or Private Ports 49152 – 65535 Dynamic or ephemeral ports, assigned by programs for one-time connections – no known programs associated

34 34 Ports Only root-privileged programs are allowed to open the lower numbered ports, common programs: Examples ftp-data 20/udp ftp 21/tcp ssh 22/tcp telnet 23/tcp Time 37/tcp Time 37/udp Whois 43/tcp DNS 53/udp Web 80/tcp Imap 143/tcp

35 35 Ports A few ordinary programs which are registered... – shockwave2 1257/tcp – shockwave2 1257/udp – ingreslock1524/tcp ingres – ingreslock1524/udp ingres – orasrv 1525/tcp oracle – orasrv 1525/udp oracle – x11 6000-6063/tcp – X Window System x11 6000-6063/udp

36 36 Ports and Port Scan Signature Signature of a Port scan – What does it look like? Several packets to different destination ports from the same source within a “short period” of time. Send TCP SYN to a non-listening port Intrusion Detector like Snort can inform us that we have been port-scanned What should we get back if port closed?

37 Syn Scan

38 38 Scanning Program - Nmap TCP Ack Scan Use this scan to get by filtering rules Many firewalls will filter initiating TCP connections from the outside Filter out packets with just Syn bit set for an opening connection To avoid filtering, Nmap offers an Ack scan Sets Ack bit on packets and filter thinks its a response to an existing connection

39 ACK Scan in Wireshark Many fast Connection Attempts All have ACK bit set

40 40 Scanning Program - Nmap TCP Ack Scan – Nmap uses Ack scan to figure out which ports are allowed unfiltered traffic by the firewall – If get RST, means packet got through firewall, and port is open If no response, or ICMP port unreachable, -> Nmap marks port as filtered

41 41 Nmap ACK Scan Packet Filter Device ACK dsk Port 1024 ACK dsk Port 1025 ACK dsk Port 1026 ResetProtected SystemAttacker External NetworkInternal Network

42 42 Scanning Program - Nmap Nmap – Version scan – find hidden applications Smart administrators – Hide services behind odd port numbers – Or, applications can be run over other services like SSL

43 43 Scanning Program - Nmap – Version scan How it works – Nmap starts with normal scan – Gathers list of open ports on a target – For TCP, completes the 3-way handshake, waits for application to present itself – Many do banners – Try to match banner to internal DB Nmap has – If Finds SSL, Nmap completes SSL handshake and then runs detection to see what service is behind SSL encryption

44 44 More Scanning OS Identity by Stack Fingerprinting Attacker needs to know OS and version Looking for way into system – What vulnerabilities does system have?

45 45 More Scanning OS Identity - Stack Fingerprinting How and why does this work? Nmap sends packets to various ports including: – Syn packets to open ports and closed ports – Null packet to both open and closed ports – Ack packet to closed and open ports Some implementations send RST in response Some send nothing and some send ICMP port unreachable Nmap includes a DB of different system responses Over 1000 platforms

46 46 Scanning Defenses What can you do against Scanning? – Close down all unnecessary ports Find them first netstat –nao | grep “LISTENING” in Windows XP – Shows listening ports and Process ID’s of listening processes Windows third party tools actually show more information Fport – www.foundstone.com OpenPorts http://diamondcs.com.au/consoletools/openports.php

47 Scanning Defenses Linux netstat –nap finds in-use ports and PID’s lsof –i shows all TCP/IP ports and associated files lsof -p [pid]

48 48 Defenses Against Scanning On-line scanners can help... For people who want to do an on-line scan their computers, there are several on-line sites http://www.auditmypc.com http://www.hackerwatch.org/probe http://www.dslreports.com/tools?r=341 Most do simple scans for obvious vulnerabilities

49 49 Scanning Defenses Once find all open ports – See if services are needed – If not, disable the service permanently Start->Run … services.msc Then, click service, click Stop and set its Startup type to Disabled

50 50 Scanning Defenses Linux continued – Disable services Comment out its line in /etc/inetd.conf If started by xindetd, delete file in /etc/xinetd.d/[service] chkconfig --list is another way to see services installed – Comes with Redhat, Mandrake and other Linux versions (not Ubuntu)‏ – Can type chkconfig [service] off

51 51 Scanning Defenses Stateful Packet Filtering – Will keep track of existing connections Typically has a connection table TCP connections – Won’t allow ACK packets into the Network unless they belong to existing TCP conversation There must have been an earlier Syn packet For FTP, must have been a control connection set up already Cover this more in depth when we cover Firewalls

52 52 The End Lab this week is Metasploit Try to read about it beforehand Links are on Relevant Links page and Lecture 6 Slides

Download ppt "1 CSCD434 Lecture 7 Spring 2012 Scanning Activities Network Mapping and Scanning."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance.

Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

Similar presentations

Ads by Google