Transcript Intro

Scanning
Scanning
1
Attack Phases
Phase 1: Reconnaissance
 Phase 2: Scanning
 Phase 3: Gaining access

o Application/OS attacks
o Network attacks/DoS attacks
Phase 4: Maintaining access
 Phase 5: Covering tracks and hiding

Scanning
2
Scanning
 After
recon phase attacker has…
o Phone numbers, contact info
o Domain names, IP addresses
o Maybe some details about infrastructure
 Next,
scanning
o Like burglar trying doors and windows
Scanning
3
Scanning

Good guys
o Must secure every entry point
o Must work in a dynamic environment
o Must deal with those pesky users

Attacker
o Only needs to find one hole
o Can take as long as necessary

“Sadly unfair” (all-too-common in security)
Scanning
4
Scanning Techniques
 War
driving
 War dialing
 Network mapping
 Port scanning
 Vulnerability scanning
 IDS and IPS
Scanning
5
War Driving
 Scan
for wireless access points
 War
driving started by Peter Shipley
 Now
a very popular activity
o Preferably, not secured WLANs
o Drove around Bay Area in 2001
o Defcon has a WarDriving contest
(including map of open access points)
Scanning
6
War Driving
Must be within 100 yards or so to reliably
send/receive WLAN
 But, detectable from a mile or more
 War driver wants to find ESSID of WLAN

o
o
o
o
o
ESSID == Extended Service Set Identifier
ESSID is WLAN’s “name”
ESSID acts like a password (almost)
By default, ESSID is sent in the clear
Can configure access point to not send ESSID…
Scanning
7
War Driving

802.11 “probe” message
o Required to send ESSID in probe msg
o But send “any” for ESSID and…
o … some access points respond with ESSID!

So, Trudy simply asks for ESSID
o And sometimes she gets it

Can configure to require BSSID (Basic SSID)
o I.e., the MAC address must be on approved list
o This helps, but only a little…
Scanning
8
War Driving
 Many
tools available
 Three basic techniques
o Active scanning
o Passive scanning
o Forced de-authentication
 Tools
Scanning
use one (or more) of these
9
NetStumbler
 Active
802.11 scanning tool
o Sends “probe” packets with “any” ESSID
o Access point within range might respond
o Like “running down the street shouting…”
 For
Windows 2k, also version for PDAs
 Optionally uses GPS to locate access pts
 One hour in NYC: found 455 access pts
Scanning
10
NetStumbler
 Gathers
MAC address, ESSID,
channel, and signal strength
o Also, IP address (using DHCP)
o Whether it is using WEP or not
 Limitations
o Many access pts ignore “any” ESSID
o Highly unstealthy
Scanning
11
Wellenreiter
Passive scanning tool
 Puts wireless card in rfmon mode

o
o
o
o
Aka “monitor mode”
Better than promiscuous mode
Gets everything---no connection needed
Even if encrypted, ESSID still sent in clear
Can dump packets into Wireshark
 Also interfaces with GPS

Scanning
12
Wellenreiter
 Gets
ESSID, MAC, IP addresses
o Entirely passive
 If
access pt not sending ESSID
o “Non-broadcasting”, name is unknown…
o …until user “authenticates” to access pt
 Related
tool: Kismet
o Detailed packet analysis, not war driving
Scanning
13
Wellenreiter
Scanning
14
Forced De-authentication

Suppose that a particular access pt…
o
o
o
o
Does not accept “any”
Does not broadcast ESSID
Clients have previously authenticated
No clients currently communicating
Invisible to NetStumber, “non-broadcasting”
to Wellenreiter
 What can Trudy do?

Scanning
15
ESSID-Jack

Assuming Trudy has access pt MAC address
o Get MAC from Wellenreiter, Kismet

De-authentication requires no “authentication”
o That is, the ESSID is not required
o Only need access point’s MAC address
ESSID-Jack sends de-authentication msg
 Then what happens?

Scanning
16
ESSID-Jack

Client(s)
automatically
re-authenticate
o ESSID-Jack
gets ESSID
o So Trudy gets
ESSID
Scanning
17
War Driving Defenses
 Set
ESSID to nondescript name
o 1234 instead of BankOfAmerica
 Do
not broadcast ESSID
 Require authentication
 MAC address for authentication?
o Easily spoofed
o Unix/Linus tool: SirMACsAlot
Scanning
18
WEP
 WEP
== Wired Equivalent Privacy
 WEP uses RC4 for confidentiality
o Considered a strong cipher
o But WEP introduces a subtle flaw
 WEP
uses CRC for “integrity”
o Should have used a crypto hash instead
o CRC is for error detection, not integrity
Scanning
19
WEP Integrity Problems

WEP “integrity” does not provide integrity
o CRC is linear, so is stream cipher XOR
o Can change ciphertext and CRC so that
checksum remains correct --- undetected
o This requires no knowledge of the plaintext!
o Even worse if plaintext is known

CRC is not a cryptographic integrity check!
o CRC designed to detect random errors
o Not designed to detect intelligent changes
Scanning
20
WEP Key
WEP encryption: long-term secret key, K
 RC4 is a stream cipher, so each packet must
be encrypted using a different key

o Initialization Vector (IV) sent with packet
o Sent in the clear (IV is not secret)

Actual RC4 key for packet is (IV,K)
o That is, IV is pre-pended to K
Scanning
21
Initialization Vector “Issue”

WEP uses 24-bit (3 byte) IV
o Each packet gets a new IV
o RC4 packet key: IV pre-pended to long-term key, K
Long term key K seldom (if ever) changes
 If long-term key and IV are same, then same
keystream is used

o This is bad!
o It is at least as bad as reuse of one-time pad
Scanning
22
Initialization Vector “Issue”
Assume 1500 byte packets, 11 Mbps link
 Suppose IVs generated in sequence

o Then 1500  8/(11  106)  224 = 18,000 seconds
o Implies IV must repeat in about 5 hours

Suppose IVs generated at random
o By birthday problem, some IV repeats in seconds

Again, repeated IV (with same K) is bad!
Scanning
23
WEP Active Attacks
WEP: “Swiss cheese” of security protocols
 If Trudy can insert traffic and observe
corresponding ciphertext

o Then she will know keystream for that IV
o And she can decrypt next msg that uses that IV

If Trudy knows destination IP address
o She can change IP address in ciphertext
o And modify CRC so it is correct
o Then access point will decrypt and forward
packet to Trudy’s selected IP address!
o Requires no knowledge of the key K
Scanning
24
War Driving Defenses
WEP is of limited value
 WPA (Wi-Fi Protected Access)

o RC4, 48 bit IV, “MIC” (named Michael) for
integrity, replay protection, etc.
o Works with same hardware as WEP

802.11i (or WPA2)
o Like WPA but crypto is better (AES)
o Requires different hardware than WEP
Can try to detect unusual activity
 Turn down the volume…

Scanning
25
Wireless Security
 VPN
== Virtual Private Network
 VPN
provides extra layer of security
o Secure “tunnel” between endpoints
o Not wireless-specific
o But can be used to secure wireless
o On top of WEP or WPA
o Author says, do not use IKE pre-shared
keys in aggressive mode
Scanning
26
War Dialing
 Dial
lots of phone numbers
 The
movie War Games (circa 1983)
o Looking for unprotected modems
o One PC can scan 1k numbers/night
o Kid tries to break into game company…
o …and accidentally starts WWIII
o Plot (such as it is) hinges on war dialing
Scanning
27
War Dialing
 Can
this possibly still be an issue?
o User might want to bypass annoying VPN
o Admin might want remote access
 User
might install remote access tool
o pcAnywhere, for example
o Only protection from war dialer is pwd?
Scanning
28
War Dialing
 How
to find phone numbers to try?
o Internet, Whois database, organization’s
Web site, social engineering, …
 Maybe
try numbers with same prefix
 Easy to test 1,000s of numbers
Scanning
29
THC-Scan
 Free
Scanning
war dialing tool
30
THC-Scan

Can dial sequence, random, or list
o “Random” to avoid detection
Parallel process on multiple machines
 Nudging

o Try to determine useful info
Can randomize interval between dialing
 Detect jamming (based on busy signals)
 If human answers, “hangs up” (click)

Scanning
31
THC-Scan

Not too user-friendly
o User must look at logs

Some numbers…
o Might not require any password
o Might require special software (pcAnywhere)
o Such info gathered via “nudging”

If password is required,
o Trudy can try password cracking
Scanning
32
War Dialing Defenses

Modem policy
o When possible, use VPN
If possible, allow dial-out only
 War dial against yourself

o Find modems before attacker does
o For Windows, can use Windows Management
Instrumentation (WMI) scripts

Visual inspection
Scanning
33
Network Mapping
At this point, attacker is either…
 On the outside looking in

o I.e., on Internet looking at target DMZ

Has inside access
o Attached to WLAN found war driving
o Connected via a modem found war dialing

Next, step is to analyze target network
o Looking for potential targets
o Critical hosts, routers, firewalls, …
Scanning
34
Network Mapping
 Mapping
tools will be aimed wherever
attacker can reach
o If outside, map DMZ, Web server, etc.
o If inside, map internal network
 In
either case, same tools
o Similar methods
Scanning
35
Sweeping
Want an inventory of accessible systems
 Could ping every possible address

o But often blocked by firewall

Send TCP packets to common port(s)
o Look for SYN-ACK to come back

Send UDP packets with unusual port
o If closed, may get “port unreachable”
o But, maybe nothing is sent back
Scanning
36
Traceroute

TTL field in IP header
o Usually decremented by each router

When TTL reaches 0…
o Router kills packet
o Sends ICMP time exceeded msg to source

Traceroute
o UNIX: traceroute uses UDP packets
o Windows: tracert uses ICMP packets
Scanning
37
Traceroute
 Map
Scanning
routers from source to dest
38
tracert
 In
Scanning
Windows
39
Ping and Traceroute
 Might
find, for
example:
Scanning
40
Automated
Tool
 Cheops-ng
o Free
o Pretty
pictures
o Lots of info
(type of OS …)
o Useful for
admins too
Scanning
41
Network Mapping Defenses
 Block
incoming ICMP packets
 Block
outgoing ICMP time exceeded
o Except those you want outsiders to ping
o Except for specific addresses
o Then (***) responses in traceroute
 Limits
attacker’s ability to map network
o Also limits good uses of these features
Scanning
42
Port Scanning
 At
this point, attacker knows…
o Addresses of live systems
o Basic network topology
 Now
what? Assume Trudy is outsider
 Trudy wants to determine open ports
o 65k TCP ports and 65k UPD ports
o Well-known ports correspond to services
o Open port is a doorway into machine
Scanning
43
Port Scanning

Port scanning
o Knock on “doors” (ports) to see which are open

Why not simply try all TCP and UDP ports?
o Not stealthy

Instead can try limited range
o More stealthy, but might miss something

Could instead just go slow
o Maybe too slow (or Trudy is too impatient)

Distributed port scan?
Scanning
44
Nmap
 Nmap
--- most popular port scan tool
 Many
many options…
o
o
o
o
o
Developed by Fydor
Free at www.insecure.org
Unix, Linux and Windows versions
Command line and GUI
Appeared in The Matrix Reloaded
Scanning
45
Nmapfe
 “Nmap
front end”
Scanning
46
TCP 3-Way Handshake
 Recall
Scanning
the 3-way handshake…
47
TCP Connect Scan
“Polite scan”
 Complete the TCP 3-way handshake

o Nmap sends SYN, wait for SYN-ACK
o If port is open, Nmap sends ACK, then FIN
o If closed, no reply, RESET, ICMP unreachable

Plusses?
o Should not cause problem for target

Minuses?
o Not stealthy, Trudy’s IP address in logs, etc.
Scanning
48
TCP SYN Scans

Nmap sends SYN
o Gets SYN-ACK, ICMP unreachable, etc.
o In any case, Nmap sends RESET
o I.e., only 2/3rds of 3-way handshake completed

Plusses?
o Stealthier (may not be logged by host)
o Faster, fewer packets

Minuses?
o Accidental DoS attack?
Scanning
49
FIN Scan
 FIN
scan
o Send FIN for non-existent connection
o Port closed, protocol says send RESET
o Port open, protocol says nothing
o No reply may indicate port is open
Scanning
50
Xmas Tree and Null Scans

Xmas tree scan
o All flag bits set: URG,ACK,PSH,RST,SYN,FIN

Null scan
o Send packet with no flag bits set
Both of these violate protocol
 Expect same behavior as FIN scan
 Note: These do not work against Windows

o Since Windows does not follow the RFCs
Scanning
51
TCP ACK Scan

Simpleminded packet filter might…
o Allow outbound, established connections
o Block incoming if ACK bit not set
Scanning
52
TCP ACK Scan
 Packet
filter assumes
o ACK bit set  established connection
 How
can Trudy take advantage of this?
 Send packets with ACK bit set!
o These pass thru open ports
o Allows for simple port scan of firewall
Scanning
53
TCP ACK Scan
 No
response/unreachable: filtered
 RESET if port is not filtered
Scanning
54
TCP ACK Scan

Trudy learns…
o Kinds of established connections that are
allowed thru packet filter
ACK scan used to determining filtering rules
 ACK scan not so useful for scanning open
ports on a host

o Different OSs respond differently
o Some RESET if port is open, some if port closed
Scanning
55
FTP Bounce Scan
 Obscures
source of scan
o So Trudy’s address not logged
o Stealthy
 Relies
on FTP forwarding
o User can request that a file be
forwarded to another machine
o Mostly disabled today
Scanning
56
FTP Bounce Scan
 FTP
Scanning
server informs attacker of result
57
Idle Scanning
 Suppose
no forwarding FTP server
 Another way to obscure source of scan
 IP header has ID field
o Used to group fragments together
o ID must be unique per packet
o Often just increment a counter (Windows)
Scanning
58
Idle Scanning
Pick a machine to blame for scan
 Blamed machine…

o
o
o
o

Attacker must be able to send/receive
Must have predictable IP IDs
Mostly idle, does not send much traffic (why?)
So IP IDs are predictable
Make it look like this machine scans
o See next slide
Scanning
59
Idle Scanning
 Prepare
Scanning
to scan
60
Idle Scan
For the scan…
 Attacker sends spoofed SYN to target

o “Source” is the blamed machine
o Selected port

Port listening: SYN-ACK to blamed machine
o Blamed machine sends RESET to target

Port closed: RESET/nothing to blamed
o Blamed machine sends nothing

So what???
Scanning
61
Idle Scanning
 Recall,
Scanning
last IP ID is X (next is X + 1)
62
Idle Scan
 Very
clever!
 Nmap automates this
 May need to repeat multiple times
o If blamed guy is not “idle enough”
 May
want to use several blamed guys
 Other improvements?
Scanning
63
UDP?
Much simpler, so fewer scan options
 Not so easy to violate protocol
 Nmap provides “polite scan”

o Not stealthy
If ICMP unreachable, port is closed
 If UDP packet sent back, then port is open
 If nothing comes back… don’t know

Scanning
64
Version Scanning

Nmap detect service/software on a port
o In case service does not use official port
o And to determine software version
o Can determine services that use SSL

After 3-way handshake, service usually
identifies itself
o If not, Nmap sends some probing packets
o UDP services are similarly easy to ID
Scanning
65
Ping Sweeps
 Nmap
provides ping sweeps too
 If incoming ICMP blocked, Nmap does
sweep using TCP packets
o To find live hosts, not as a port scan
Scanning
66
RPC Scans
 Nmap
can scan for RPC applications
o RPC is for
distributed
apps
o Makes
distributed
app easy to
program
Scanning
67
RPC Scans

Familiar RPC services (Linux/UNIX)
o
o
o
o
o

Rpc.rstatd: performance stats from kernel
Rwalld: msgs to logged in users
Rup: up time and load avg of a service
Sadmind: older service for Solaris admin
Rpc.statd: used with NFS
Many vulnerabilities in RPC
o RPC scan may provide useful info to attacker
Scanning
68
Source Port
 Nmap
can set source port
 Might
set source port to 80 or 25
o To avoid filtering at target
o Looks like Web traffic, email
 Source
port 20 also useful
o Looks like FTP data connection
o Why FTP?
Scanning
69
FTP

Difficult for simple packet filter
o Due to control connection (port 21) and data
connection (port 20)

UDP port 53 (DNS) also a good choice
Scanning
70
Decoys
 Spoofed
source addresses
 If attacker uses n decoys
o Then n + 1 packets sent to each port
o One with correct source address
(except for FTP bounce or idle scans)…
o …and n with specified spoofed sources
 What
Scanning
good does this do?
71
Active OS Fingerprinting
 Attacker
wants to know the OS
 How to do this?
 RFCs do not specify everything
o E.g., how to respond to illegal
combinations of TCP control bits
o Nmap knows the inconsistencies
Scanning
72
Active OS Fingerprinting
 Nmap
o
o
o
o
o
o
uses the following
SYN packet to open port
NULL packet to open port
SYN|FIN|URG|PSH to open port
ACK to open port
FIN|PSH|URG to closed port
UDP packet to closed port
Scanning
73
Active OS Fingerprinting

Predictability of initial sequence numbers
also used by Nmap
o Nmap has database of > 1000 platforms

Xprobe2 --- active OS fingerprinting tool
o Stealthier and more accurate than Nmap

Passive OS fingerprinting is possible
o No traffic sent to target
o Sniff packets sent by target
o This is covered in Chapter 8
Scanning
74
Nmap Timing Options
Paranoid --- one packet per 5 minutes
 Sneaky --- one packet per 15 seconds
 Polite --- one packet per 0.4 seconds
 Normal --- as quickly as possible
 Aggressive --- wait max of 1.25 sec for reply
 Insane --- Wait max of 0.3 sec for reply

o Will lose packets, resulting in false negatives

Timing also customizable
Scanning
75
Fragmentation
 Nmap
also allows fragmentation
 Helps against some IDS systems
o Discuss later…
Scanning
76
Port Scanning Defenses

Harden the
system
o Close unused
ports
o Minimize
services/tools
o Check ports in
use
Scanning
77
Port Scanning Defenses
 Scan
yourself using Nmap
o But this can cause problems
 Use
more intelligent firewalls
o Stateful packet filters or proxies…
o …instead of packet filters
Scanning
78
Firewalk
 Determines
what gets thru firewall
o Assuming a packet filter firewall
 Nmap
o
o
o
o
vs Firewalk
Nmap does port scan of hosts
What happens if you Nmap a firewall?
Tells you ports firewall is listening on
But, you want to know filtered ports
Scanning
79
Firewalk
Nmap vs Firewalk
 But what about Nmap ACK scan?

o Attacker learns which ports firewall allows
established connections
o But SYN packets might be dropped

Firewalk tells attacker ports that firewall
allows new connections on
o More useful info to attacker
Scanning
80
Firewalk
 Requires
2 IP addresses
 Firewalk
has 2 phases
o Address before filtering takes place
(i.e., external address of firewall)
o Destination on other side of firewall
o Network discovery (like traceroute)
o Actual scanning
Scanning
81
Firewalk
 Network
discovery phase
o Use TTL to find hops to firewall
Scanning
82
Firewalk
 Scanning
phase
o Packet sent to host behind firewall
o Note: this works even if NAT is used
Scanning
83
Firewalk
 TTL
field crucial to Firewalk
 Packet filter and stateful packet
filters both decrement TTL field
o So Firewalk can work against these
 Application
proxy firewall?
o Proxy does not forward packet
o Instead, creates a new packet… so what?
Scanning
84
Firewalk
 How
can Trudy use Firewalk results?
 To install software, must know which
ports can be used
 Scan for new services on open ports
o Example: SSH (TCP port 22) open, but no
SSH not available
o SSH temporarily activated by admin…
Scanning
85
Firewalk Defenses
 Learn
to live with it
o Since based on TCP/IP fundamentals
o Focus on better firewall rules/mgmt
 Use
proxy-based firewall
o Might create problems
o Likely to be much slower
Scanning
86
Attack So Far…
 Trudy
knows
o Addresses of live hosts (ping, Cheops-ng)
o Network topology (Traceroute, Cheopsng)
o Open ports on live hosts (Nmap)
o Services & version numbers (Nmap)
o OS types (Nmap, Xprobe2)
o Ports open thru firewall (Firewalk)
Scanning
87
Vulnerability Scanning
Now what?
 Trudy want to know vulnerabilities
 Tools automate process

o Connect to host, test for vulnerabilities

Types of vulnerabilities
o Configuration errors
o Default configuration weaknesses
o Well-known (published) vulnerabilities

100s to 1000s of vulnerabilities
Scanning
88
Vulnerability Scanning Tools
 Tools
typically employ the following
o Vulnerability database
o User configuration
o Scanning engine
o Knowledge base of current scan
o Results/report/repository
Scanning
89
Vulnerability Scanning Tools
Scanning
90
Vulnerability Scanning Tools

Commercial tools include…
o Harris STAT Scanner
o ISS’a Internet Scanner
o CFI LANguard Scanner
o E-eye’s Retina Scanner
o Qualys’s QualysGuard (subscription based)
o McAfee’s Foundstone Foundscan (also
subscription based)
Scanning
91
Nessus
 Nessus
--- the most popular free
vulnerability scanning tool
o Can write your own vulnerability checks
and lots of people have already done so
 Nessus
plug-ins
o More than 1,000 plug-ins in categories
Scanning
92
Nessus Plug-Ins

Categories of plug-ins are…
o Backdoors, CGI abuses, Cisco, Default UNIX
accounts, DoS, Finger abuses, Firewalls, FTP,
Gain shell remotely, Gain root remotely,
General, Misc, Netware, NIS, P2P file sharing,
Remote file access, RPC, SMTP, SNMP,
Windows, Useless services

Each category: 2 to 100s of vulnerabilities
Scanning
93
Nessus Architecture

Client-server architecture
o Client-server authentication, encryption, etc.
Scanning
94
Nessus
 Attacker
selects…
o Plug-ins, target system, port range/type
of scanning, port for Nessus client-
server communication, encryption alg,
email address for report
 Attacker
Scanning
can also write scripts
95
Nessus Report
 Nessus
report
format
 Other tools
make Nessus
report more
readable and
informative
Scanning
96
Vulnerability Scan Defenses
 Close
unused ports
 Install latest patches
 Run tools against your network
o Be careful of DoS…
Scanning
97
Nessus
DoS
Options
Some
risky, some
not
 Pwd guess
could also
be problem

Scanning
98
Limitations of Vulnerability
Scanning Tools
 Only
detect known vulnerabilities
 Tools don’t understand network
architecture
o Attacker might
 Only
gives a snapshot in time
o Environment is dynamic
Scanning
99
IDS (and IPS)
 Scanning
tools are noisy
 Port scan may use 10,000s of packets
 Vulnerability scan may send 100,000s
or millions of packets
 IDS likely to notice such activity
 Attacker must try to evade IDS
Scanning
100
IDS
 Mostly
Scanning
signature based
101
IDS Evasion
 To
avoid signature detection…
 Change traffic
o Change packet structure or syntax
 Change
the context
o IDS might not know full context
Scanning
102
IDS Evasion at Network Level
 Fragments
create problem for IDS
 Must reassemble fragments
 Attacker could…
o Use fragments --- IDS may not handle it
o Fragment flood --- overwhelm IDS
o Fragment in unusual ways --- to exploit
weakness in IDS handling of fragments
Scanning
103
Fragmentation
 Tiny
fragments
o Not too effective vs modern IDS
Scanning
104
Fragmentation

Fragment overlap
o Handled differently by different OSs…
o Which makes IDSs job is more difficult
Scanning
105
FragRouter and FragRoute
FragRouter --- fragmentation tool
 Options include

o Various sized fragments
o Various overlapping schemes

Separates fragmentation from the attack
Scanning
106
IDS Evasion at App Level
Nitko --- CGI scanner (IDS evasion)
 CGI scripts run on server, activated by
user on the network
 Large number of CGI scripts vulnerable
 Nessus does some CGI scanning
 Nitko much more sophisticated

o For attacks, makes subtle changes in HTTP to
evade signature detection
Scanning
107
Nikto

IDS evasion strategies
o Hex equivalents of characters, “Change” to
current directory, URL does not include CGI
script info (instead, placed in HTTP header),
Long (nonexistent but ignored) directory name,
Fake parameter(s), TAB separations (instead of
spaces), Case, Windows delimiters (backslash),
NULL method, Session splicing (separate TPC
packets, not fragments)
Scanning
108
IDS Evasion Defenses
 Use
IDS, regardless of attacks
 Keep signatures up to date
 Use host-based & network-based IDS
o For example, fragmentation attack easier
to detect with host-based defense
Scanning
109
Conclusion
Scanning
110
Summary
Scanning
111