scanning this presentation is an amalgam of presentations by mark michael, randy marchany and ed...
TRANSCRIPT
Scanning
This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
The Source!
“Network Scanning Techniques – Understanding how it is done”
Author: Ofir Arkin
NETWORK SCANNING
Fire
Internet
Gateway
Web Server
Mail Server Database Server
Domain Controller
Inte
rnal T
hre
ats
Exte
rnal Th
reats
wall
SCANNER SCANNER
Desktops
Intro to Intelligence Gathering Techniques 3 Major Steps
Foot Printing Scanning Enumeration
Similar to Military Gather information on the target Analyze weaknesses Construct and launch attack
Footprinting
Construct a profile of the target site Adminstrative, technical & billing
contacts from the ARIN database (whois utility)
IP Address range DNS Servers Mail Servers Firewalls
Scanning
Art of detecting which systems are alive and reachable on the Internet
What services do they offer? TCP/UDP running on each system System architecture (Unix,
Windows, etc.) OS version and patch levels
Enumeration The process of extracting valid
accounts or exported resource names from systems
Uses active connections to systems and queries, therefore, more intrusive than footprinting or scanning
OS specific Gathers userid, group names, system
banners, routing tables, SNMP info
Intro to Scanning
What are scanners doing? What do they look like(signature)? How do they operate in order to
accomplish their tasks? What kind of information is
collected? How serious is the threat?
Scanning: Ping Sweeps ICMP Echo Requests(ICMP Type 8) to the
target and wait for ICMP Echo Reply (ICMP Type 0)
Unix Tools Fping, gping, nmap
Windows Ping, pinger from Rhino9 (this is a extremely
fast scanner that sends multiple ICMP echo requests concurrently
Defense: block ICMP echo requests
Scanning: Broadcast ICMP
Send ICMP Echo Request to broadcast address on the subnets
Unix boxes will answer requests directed to the network so we can identify the Unix boxes using this technique
Windows boxes won’t respond
Scanning: Non-ECHO ICMP Use non-ECHO ICMP protocols to
bypass the ‘block ICMP echo’ filters ICMP type 13 (TIMESTAMP) will
query a system for the current time ICMP type 17 (Address Mask
Request) is used by diskless systems to obtain its subnet mask at boot time.
Tools: icmpush, icmpquery
Scanning: TCP Sweeps TCP SYN or TCP ACK packets sent to
the target network telnet, FTP, HTTP, SMTP are the
common ports scanned Firewalls can spoof the response so
this isn’t a reliable scanning method Tools: nmap, hping (also allows
packet fragments to be sent)
Scanning: UDP Sweeps Relies on the ICMP PORT UNREACHABLE
message which is sent by a closed UDP port
If not received, the port is assumed to be open
Not reliable because: Routers can drop UDP packets Many UDP services don’t respond correctly Firewalls usually drop UDP packets except DNS
Scanning: Port Scanning
Goal: determine what services are running or in a LISTENING state
The services may suffer from vulnerabilities
A number of port scan techniques
Port Scanning TCP Connect() scan SYN packet sent to target port If SYN/ACK is received, port is active If RST/ACK is received, port is dead Finish the 3-way sequence by
sending an ACK then terminate the connection
Easily detected by looking at syslogs for connection or error messages
Port Scanning
TCP Half Open Scan (SYN Scan) Send the SYN packet to the target If SYN/ACK received, the port is
active If RST/ACK received, the port is
dead We do NOT complete the connection
Advanced Port Scanning Stealth Scanning techniques Intentionally violate the 3-way handshake SYN/ACK scan FIN scan XMAS scan NULL scan RFC 793 states that closed ports must
reply with a RST packet to our probe
Stealth Scanning
SYN/ACK scan Send SYN/ACK to target (step 2 of the
3 way handshake) TCP should respond with RST because
it figures this is a mistake We get a response which tells us the
port is closed Open ports do not send anything
Stealth Scanning
FIN scan Send a FIN to the target Wait for reply Open ports will respond
XMAS scan Send TCP packet with all TCP flags –
URG, ACK, PSH, RST, SYN, FIN set
Stealth Scanning Null Scanning
Send TCP packet that turns off all flags The target should send a RST to all closed ports RFC 793 says this should work for every TCP
implementation Windows, CISCO, BSDI, HP/UX, MVS, Irix are
broken. They send RST to open ports as well. If FIN/NULL/XMAS scans show closed ports
then SYN scan them to find open ports. If they match, you have one of the above systems.
Inverse Mapping Gather info about hosts or networks which
aren’t there We make assumptions about what is there RESET Scan
Routers will give information on a net even if the question doesn’t make sense
Routers will report non-existent addresses No HOST UNREACHABLE or TIME EXCEEDED
means the IP exists
Inverse Mapping Proxy Scanning/FTP Bounce Scanning Attacker.com connects to FTP server which
has a world writable directory and opens a control connection
Attacker can then ask the FTP server to initiate an active server data xfer process to send a file anywhere on the net. Hobbit’s paper has more details
Use to scan behind a firewall
Port Scanning Techniques TCP Reverse Ident Scanning
Ident protocol (RFC 1413) determines the owner of a TCP connection by communicating on port 113
Full TCP connection to the host Slow scan
Defeats IDS that look for lots of connection in a short period of time.
Typical scan rate: 2 ports/day
Port Scanning Techniques Fragmentation Scanning
All IP packets can be fragmented RFC 791 defines the min/max fragment
size 8 octets (min frag size) are enough to
contain the src/dst port numbers This forces the TCP flags field into the
second fragment
Port Scanning Techniques Fragmentation Scanning
Some filters/IDS may incorrectly reassemble or completely miss portions of the scan
Filters that queue all IP fragments can handle this method
Fixed in most vendor’s products
Port Scanning Techniques
Decoy Scanning The target net thinks the hosts you
specify as decoys are scanning them also
Makes it impossible to determine who the real scanner is
Signature: TTL field usually contained the same number
Nmap bypasses this error Traceroute the source IP
Port Scanning Techniques
Coordinated Scans Multiple IP’s used in the scan Each one of them probes specific ports in
a different time period, different scan rate Detection depends on the time period the
probes take place Coordinated scans are the most discrete
way of probing a target
Operating System Detection
Banner Grabbing Telnet banners identify the OS version
FTP/IIS SYST command
DNS HINFO Record Pair of strings identifying the host’s HW
Operating System Detection
TCP/IP/Stack Fingerprinting Uses distinct variation in TCP stack
implementation to get the OS type Send specific TCP packets to target and
observe the response Varies with vendor because they
interpret the RFC differently when they wrote their TCP stacks
Operating System Detection
FIN packet sent to open port. RFC 793 says “don’t respond to the FIN”.
Many stacks will respond with a RST. Windows, BSDI, CISCO, HPUX, MVS, Irix do this.
Operating System Detection
Bogus Flag Probe SYN packet with undefined flag is sent Linux < 2.0.35 will keep the flag in their response.
Other OS will RST the connection TCP ISN sampling
Find pattern of the ISN Traditional 64K (older Unix) Random Increment (FreeBSD, DGUX, Irix, newer
Solaris) True Random (linux) Time Dependent Modules (MS Windows)
Operating System Detection
Don’t Fragment Bit Some OS use this bit to enhance
performance TCP Initial Window
Some OS stack implementations have a unique initial window size on their returned packets
AIX returns Ox3F25, OpenBSD, FreeBSD use 0x402E
Operating System Detection
ACK Value Some IP stacks differ in the value they
use for the ACK field Send FIN/PSH/URG to a closed port. Most
implementation will set the ACK number in the returned packet to be the same as the sequence number received.
Windows responds with ACK=Sqn#+1
Operating System Detection
ICMP Error Message Quenching RFC 1812 suggests limits on various error
message rates. Only a few OS follow the RFC.
Send UDP packets to random, high, UDP port and count the number of unreachable messages received within a given amount of time.
Operating System Detection
ICMP Message Quoting ICMP error messages should quote a small
amount of info from the ICMP message that caused the error.
Example: Host unreachable This is quoted when the PORT
UNREACHABLE message is received in the IP Header + 8 bytes.
Solaris and Linux provide more info than is needed
Operating System Detection
ICMP Error Message Echoing Integrity Some OS stack implementations alter the
IP header when sending back an ICMP error message.
Another way to target an OS. ICMP Type of Service
ICMP PORT UNREACHABLE TOS field Linux uses 0xC0 for this value. All others use 0.
Operating System Detection
Fragmentation Handling Different stack implementations handle
overlapping fragments differently. TCP Options
RFC 793, RFC 1323 define TCP options. Not all OS implement host options.
Send query with option set. Target sets the option only if it supports it. Some OS support advanced options, others don’t.
Banner Checks Check the service output retrieved during TCP
port scan for version number220 mail.domain.com ESMTP Sendmail 8.6.1/8.6.1,
the version number indicates a vulnerability. Banner checks cannot always determine whether
a vulnerability has been patchedVulnerabilities that can be detected by banner checks include:
– SMTP (Sendmail, MMDF, Lotus Domino, etc.)– POP/IMAP– FTP (wu-ftpd, etc.)– SSH– INN
URL CHECKS
Check for vulnerabilities in specific programs on web server:
You can try to exploit the vulnerability:Check whether specially crafted URL returns contents of some file which is known to reside on the server.
Or just see if the file exists on the web server:Check whether URL returns 200 OK response.
Firewalking
A technique used to gather information about a remote network protected by a firewall.
2 purposes Determine the ACL of a FW by mapping
open ports on the FW. If FW drops ICMP ECHO request/reply, this
technique is effective
Firewalking
Uses traceroute style packet filtering to determine whether the packet passes through the FW.
Need 2 pieces of info IP of last known gateway BEFORE the FW.
This is our waypoint. IP of host located behind the firewall.This
is used as a destination to direct packet flow.
Firewalking If we traceroute a host behind the FW and get
blocked by the ACL, we find the FW. We then try to traceroute same host using
different transport protocol (TCP, UDP, ICMP). If we get a response, 2 possible conclusions: This particular traffic is allowed by the FW. We know a host exists behind the FW.
Trying to pass packets on all ports/protocols through the FW, monitor the response will produce the ACL. Use slow scan to avoid detection! Send packets to all hosts inside the net.
War Driving With a laptop and wireless card, an attacker can
drive down the street and join many wireless LANs! Windows Tools:
NetStumbler WinPcap
Linux Tools: Airsnort WEPCrack
More here
War Chalking
Variant of “hobo” language Key:
SSID () – closed, )(– openBandwidth
Retina)(1.5
War Driving Defenses
Use Virtual Private Network (VPN) All data from end system to VPN
gateway inside of wireless device encrypted and authenticated
SLAN is a freeware VPN on Linux or Windows:
http://slan.sourceforge.net Allow connection to specific MACs
Conclusions
Understanding the importance of detecting these scans could prevent intrusions to the scanned systems.
Use an IDS to gather scan signatures. Develop filters for these scans