cit 380: securing computer systemswaldenj/classes/2015/spring/cit480/...cit 480: securing computer...
TRANSCRIPT
CIT 480: Securing Computer Systems Slide #2
Topics
1. Port Scanning
2. Stealth Scanning
3. Version Identification
4. OS Fingerprinting
Port Scanning
Port scanning is a method of discovering
potential input channels on a host by proving
the TCP and UDP ports on which services
may be listening.
CIT 480: Securing Computer Systems Slide #3
CIT 480: Securing Computer Systems Slide #4
nmap TCP connect() scan
> nmap -sT scanme.nmap.org
Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.11s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1720/tcp filtered H.323/Q.931
9929/tcp open nping-echo
done: 1 IP address (1 host up) scanned in 9.92 seconds
CIT 480: Securing Computer Systems Slide #5
Scanning Techniques
1. TCP connect() scan
2. TCP SYN scan
3. TCP FIN scan
4. TCP Xmas scan
5. TCP Null scan
6. TCP ACK scan
7. Fragmentation Scan
8. FTP bounce scan
9. Idle Scan
10. UDP scan
CIT 480: Securing Computer Systems Slide #6
TCP connect() scan
• Use connect() system call on each port,
following normal TCP connection protocol
(3-way handshake).
• connect() will succeed if port is listening.
• Advantages: fast, requires no privileges
• Disadvantages: easily detectable and
blockable.
CIT 480: Securing Computer Systems Slide #7
TCP SYN Scan
• Send SYN packet and wait for response
– SYN+ACK
• Port is open
• Send RST to tear down connection
– RST
• Port is closed
• Advantage: less likely to be logged or blocked
• Disadvantage: requires root privilege
CIT 480: Securing Computer Systems Slide #8
TCP FIN scan
• Send TCP FIN packet and wait for response
– No response
• Port is open
– RST
• Port is closed.
• Advantages: more stealthy than SYN scan
• Disadvantages: MS Windows doesn’t follow standard (RFC 793) and responds with RST in both cases, requires root privilege.
CIT 480: Securing Computer Systems Slide #9
Xmas and Null Scans
• Similar to FIN scan with different flag
settings.
• Xmas Scan: Sets FIN, URG, and PUSH
flags.
• Null Scan: Turns off all TCP flags.
CIT 480: Securing Computer Systems Slide #10
TCP ACK Scan
• Does not identify open ports
• Used to determine firewall type
– Packet filter (identifies responses by ACK bit)
– Stateful
• Send TCP ACK packet to specified port
– RST
• Port is unfiltered (packet got through)
– No response or ICMP unreachable
• Port is filtered
CIT 480: Securing Computer Systems Slide #11
Fragmentation Scan
• Modify TCP stealth scan (SYN, FIN, Xmas,
NULL) to use tiny fragmented IP datagrams.
• Advantages: increases difficulty of scan
detection and blocking.
• Disadvantages: does not work on all Oses,
and may crash some firewalls/sniffers.
CIT 480: Securing Computer Systems Slide #12
FTP Bounce Scan
FTP protocol supports proxy ftp
– Client requests server send file to another IP, port.
– If server can open connection, port is open.
Advantages:
– Hide identity of scanning host.
– Bypass firewalls by using ftp server behind firewall.
Disadvantages:
– Most ftp servers no longer support proxying.
– Printer ftp servers often do still support.
CIT 480: Securing Computer Systems Slide #13
Idle Scan
Use intermediate idle host to do scan.
– Idle host must increment IP ID for each packet.
– Idle host must not receive traffic from anyone other than attacker.
Scan Process
1. Attacker connects to idle host to obtain initial IP ID X.
2. Send SYN packet to port Y of target with spoofed IP of idle host.
3. If port is open, target host will send SYN+ACK to idle host.
4. Idle host with send RST packet with IP ID X+1 to target.
5. Attacker connects with SYN to idle host to obtain updated IP ID.
6. Idle host sends back SYN+ACK to attacker.
• Note that this action will increment IP ID by 1.
• If IP ID is X+2, then port Y on target is open.
Advantages: hides scanner IP address from target.
CIT 480: Securing Computer Systems Slide #14
UDP Scans
Send 0-byte UDP packet to each UDP portUDP packet returned
• Port is open
ICMP port unreachable
• Port is closed
Nothing
• Port listed as open|filtered
• Could be that packet was lost.
• Could be that server only returns UDP on valid input.
Disadvantages: – ICMP error rate throttled to a few packets/second (RFC 1812),
making UDP scans of all 65535 ports very slow.
– MS Windows doesn’t implement rate limiting.
CIT 480: Securing Computer Systems Slide #15
Version Scanning
• Port scanning reveals which ports are open
– Guess services on well-known ports.
• How can we do better?
– Find what server: vendor and version
– telnet/netcat to port and check for banner
– Version scanning
CIT 480: Securing Computer Systems Slide #16
Banner Checking with netcat
> nc www.nku.edu 80
GET / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Sun, 07 Oct 2007 19:27:08 GMT
Server: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7a
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
127
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /<P>
</BODY></HTML>
CIT 480: Securing Computer Systems Slide #17
Version Scanning
1. If port is TCP, open connection.
2. Wait for service to identify self with banner.
3. If no identification or port is UDP,
1. Send probe string based on well-known service.
2. Check response against db of known results.
4. If no match, test all probe strings in list.
CIT 480: Securing Computer Systems Slide #18
nmap version scan
> nmap -sV scanme.nmap.org
Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26 17:11 EDT
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.10s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
1720/tcp filtered H.323/Q.931
9929/tcp open nping-echo Nping echo
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
CIT 480: Securing Computer Systems Slide #19
More nmap Tools
Set source port
– Bypass firewall by using allowed source port.
– Use port 80 for TCP, port 53 for UDP scans.
Decoys
– Send additional scans from list of decoys.
– Spoof IP addresses of decoy hosts.
– Defender has to investigate decoys + attacker.
CIT 480: Securing Computer Systems Slide #20
Defences
Prevention
– Disable unnecessary services.
– Block ports at firewall.
– Use a stateful firewall instead of packet filter.
Detection
– Network Intrusion Detection Systems.
– Port scans often have distinct signatures.
– IPS can react to scan by blocking IP address.
CIT 480: Securing Computer Systems Slide #21
OS Fingerprinting
Identify OS by specific features of its
TCP/IP network stack implementation.
– Explore TCP/IP differences between OSes.
– Build database of OS TCP/IP fingerprints.
– Send set of specially tailored packets to host
– Match results to identical fingerprint in db to
identify operating system type and version.
CIT 480: Securing Computer Systems Slide #22
nmap OS fingerprint examples
> sudo nmap -O scanme.nmap.org
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.38 - 3.0
Uptime guess: 12.224 day
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
> sudo nmap –v -O 192.168.1.1
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.18 - 2.4.35 (likely embedded)
Uptime guess: 29.789 days
TCP Sequence Prediction: Difficulty=196 (Good luck!)
IP ID Sequence Generation: All zeros
CIT 480: Securing Computer Systems Slide #23
OS Fingerprinting Techniques
FIN probe– RFC 793 requires no response
– MS Windows, BSDI, Cisco IOS send RST
Bogus flag probe– Bit 7 of TCP flags unused
– Linux <2.0.35 keeps flag set in response
TCP ISN sampling– Different algorithms for TCP ISNs
IP Identification– Different algorithms for incrementing IPID
CIT 480: Securing Computer Systems Slide #24
Passive Fingerprinting
• Identify OSes of hosts on network by sniffing
packets sent by each host.
• Use similar characteristics as active techniques:
– TTL
– MSS
– Initial Window Size
– Don’t Fragment bit
• Tools: p0f
CIT 480: Securing Computer Systems Slide #25
Fingerprinting Defences
Detection
– NIDS
Blocking
– Firewalling
– Some probes can’t be blocked.
Deception
– IPpersonality changes Linux TCP/IP stack signature to that of another OS in nmap db.
CIT 480: Securing Computer Systems Slide #26
Scanning Tools Summary
Information Tool
IP addresses of hosts ping, nmap -sP
Network topology traceroute, lft
Open ports nmap -sT -sU
Service versions nmap -sV
OS nmap –O, p0f
Vulnerabilities Nessus, OpenVAS
CIT 480: Securing Computer Systems Slide #27
References
1. Fyodor, NMAP documentation, http://nmap.org/docs.html.
2. Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting-article.html
3. Gordon “Fyodor” Lyon, Nmap Network Scanning, 2008.
4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.