Intrusion detection systems
Download
Report
Transcript Intrusion detection systems
SCSC 455 Computer Security
Intrusion Detection
Index
Network scanning and packet-sniffing utilities
IDS -- Intrusion detection systems
Automated security audits
Scanners and Sniffers
Cracker can employ the following techniques
in order to gain access to a Linux system:
Port scanning, in which packets are sent to a host
to gain information about it based on its response
Packet sniffing, in which every packet on the
network has its header and data examined
Network administrators also use these
techniques to check for security weaknesses,
and though some feel their use is illegitimate, it
is important to stay ahead of crackers
Port Scanning
A port scan enables someone to identify a
network’s operating system and any services
that could potentially allow greater access
Port scans typically use the TCP protocol and its
associated flags to gather information about the
host and its network services
Some port scanners use ICMP and UDP packets,
which do not provide as much data as TCP, but
can offer some information that TCP cannot
Port Scanning
Port Scanning
The most widely used port-scanning utility is
nmap, the network mapper
a command-line utility that uses a variety of
scanning methods
allows for fingerprinting hosts, greater output, and
configuration of timing policy
also perform a Ping scan, which reports hosts that
are reachable using ICMP echo packets
nmap Uses
Network exploration tool and port scanner
Security audits
Network inventory
Upgrade schedules
Monitoring host/service uptime
Example nmap Scan
# nmap -A -T4 scanme.nmap.org playground
Starting nmap ( http://www.insecure.org/nmap/ )
Interesting ports on scanme.nmap.org (205.217.153.62):
(The 1663 ports scanned but not shown below are in state: filtered)
PORT
STATE SERVICE VERSION
22/tcp open
ssh
OpenSSH 3.9p1 (protocol 1.99)
53/tcp open
domain
70/tcp closed gopher
80/tcp open
http
Apache httpd 2.0.52 ((Fedora))
113/tcp closed auth
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11
Uptime 33.908 days (since Thu Jul 21 03:38:03 2005)
Interesting ports on playground.nmap.org (192.168.0.40):
(The 1659 ports scanned but not shown below are in state: closed)
PORT
STATE SERVICE
VERSION
135/tcp open msrpc
Microsoft Windows RPC
139/tcp open netbios-ssn
389/tcp open ldap?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1002/tcp open windows-icfw?
1025/tcp open msrpc
Microsoft Windows RPC
1720/tcp open H.323/Q.931
CompTek AquaGateKeeper
5800/tcp open vnc-http
RealVNC 4.0 (Resolution 400x250; VNC TCP
port: 5900)
5900/tcp open vnc
VNC (protocol 3.8)
MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release
Service Info: OSs: Windows, Windows XP
Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds
nmap Options Summary and Syntax
# nmap
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-Nmap 3.95 ( http://www.insecure.org/nmap/ )
iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-P0: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idlescan
-sO: IP protocol scan
-b <ftp relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast - Scan only the ports listed in the nmap-services file)
-r: Scan ports consecutively - don't randomize
Port Scanning
nmap Syntax (cont)
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version_light: Limit to most likely probes for faster identification
--version_all: Try every single probe for version detection
--version_trace: Show detailed version scan activity (for debugging)
OS DETECTION:
-O: Enable OS detection
--osscan_limit: Limit OS detection to promising targets
--osscan_guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
-T[0-5]: Set timing template (higher is faster)
--min_hostgroup/max_hostgroup <msec>: Parallel host scan group sizes
--min_parallelism/max_parallelism <msec>: Probe parallelization
--min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout <msec>: Specifies
probe round trip time.
--host_timeout <msec>: Give up on target after this long
--scan_delay/--max_scan_delay <msec>: Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source_port <portnum>: Use given port number
--data_length <num>: Append random data to sent packets
--ttl <val>: Set IP time-to-live field
--spoof_mac <mac address/prefix/vendor name>: Spoof your MAC address
nmap Syntax (cont)
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
--packet_trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append_output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Insecure.Org for more portable XML
--no_stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection
--datadir <dirname>: Specify custom Nmap data file location
--send_eth/--send_ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -P0 -p 80
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
Target Specification
192.168.10.0/24 198.168.10.97/16
192.168.0-255.0/8 better 192.168.0-255.1-254
0-155.0-255.13.37
Internet wide scan of all addresses ending in
13.37
scanme.nmap.org/8
Some available options:
iL <input_file_name>
(Addresses from list)
iR <num hosts>
(Choose random targets)
-excludefile <exclude_file>
Host Discovery
Reduce the number of hosts on a network to be
scanned
Specify how each host is to be identified as
interesting
Firewall considerations
Default: Each requested IP address
Attempt – TCP ACK to port 80
Attempt – ICMP Echo Request
Host Discovery
Some available host discovery options:
sL (List Scan)
sP (Ping Scan)
Use only pings to scan the IP addresses
specified
Prints all host responding to a ping
P0
(No Ping)
PS [port list]
(TCP SYN Ping Scan)
TCP SYN Packet sent to port 80 for every IP
Else to every port in the list
PA [port list]
(TCP ACK Ping Scan)
PU [port list]
(UDP Ping Scan)
PE; -PP; -PM
(ICMP Ping Scan)
PR
(ARP Ping Scan)
Port Scanning Basics
nmap scans more than 1660 ports
Most port scanners list ports as opened or closed
nmap recognizes 6 port states
Open
Accepting TCP connections or UDP packets
Closed
Host is up on the IP address
Accessible but no app is listening
Try later
Port Scanning Basics
nmap recognizes 6 port states (cont’d)
Filtered
No response from probe
Firewall probably did a stealth drop
Forces nmap to retry many times
Unfiltered
Port is accessible but not whether open or closed
Used in mapping firewall rulesets
Try Window scan, SYN scan, FIN scan
Port Scanning Basics
nmap recognizes 6 port states (cont’d)
open|filtered
When unable to determine whether port is open of filtered
closed|filtered
When unable to determine whether port is closed or
filtered
Port Scanning Techniques
Only one scan technique can be used at a time
Usually must have root privilege
Some available scan techniques:
sS (TCP SYN scan)
Default
Half-open scanning
The open request is never completed
sT
(TCP connect() scan)
A full TCP connection is attempted
Firewalls tend to block incomplete TCP connect
attempts
The scan control is handed over to the OS.
Port Scanning Techniques (cont’d)
Some additional available scan techniques:
sU
(UDP scan)
Picks up services like DNS, SNMP, DHCP
A UDP packet is sent with no data to all
targeted ports
ICMP: port unreachable --> port is closed
ICMP: 3 code: 1,2,9,10 or 13 --> port is
filtered
Responds with a UDP packet --> port is open
No response --> port is open|filtered
sN
(TCP null scan) no flags set
sF
(TCP FIN scan) only the FIN bit is set
sX
(Xmas scan) FIN, PSH, & URG bits are set
RST packet received --> port is closed
No response --> port is open|filtered
ICMP unreachable (1,2,3,9,10,13) --> port is
filtered
Port Scanning Techniques (cont’d)
Some additional available scan
techniques:
(TCP ACK scan)
No open ports are discovered
Does determine if the firewall is statefull
Unfiltered systems return a RST packet and
labeled unfiltered
Noresponse of ICMP errors are labeled filtered
sW
(TCP window scan)
sO
(IP protocol scan)
Cycles through all of the IP protocols
sA
Service and Version Detection
Probes discovered ports
nmap-service-probes contains probes for querying options
sV (Version detection)
OS Detection
Uses TCP and UDP scans
Compares to the nmap-os-fingerprints database
o (Enable OS detection)
A (Enable both OS and version detection)
Output
Piles of output
Learn perl and grep
Many formats
oN <filespec> (Normal optput)
oX <filespec (XML output)
v (Increase verbosity level)
nmap Conclusion
Powerful
Invasive
obvious if you are not careful
illegal if not done correctly
Port Scanning
Port Scanning
Packet Sniffing
A packet sniffer allows for the examination of
any or all of the traffic passing through a network
cable or wireless space
An Ethernet card can enable packet sniffing only if
it is operating in promiscuous mode
Users must be logged in as root to use this mode,
so packet sniffers require root access
If encryption technologies such as SSH, GPG,
and stunnel are used, packet data is more
secure
Packet Sniffing
Three popular Linux utilities are:
IPTraf displays individual network connections,
with protocol and other data for each one
also displays statistics by protocols, certain host names,
or certain IP addresses
tcpdump provides information similar to IPTraf,
but it also includes more detailed information
about network packets
Ethereal takes tcpdump a step farther in that it is a
graphical network analysis tool
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Index
Network scanning and packet-sniffing utilities
IDS -- Intrusion detection systems
Automated security audits
Intrusion Detection Software
Intrusion detection is the process of noticing
when someone is trying to break into (or has
already broken into) a system
This category of software is called intrusion
detection systems (IDS)
PortSentry, by Psionic, watches network
ports for packets that appear to be port scans
A more complex tool than PortSentry is Linux
IDS, or LIDS, which can alter the Linux kernel
Big Brother
Big Brother provides a different level of
intrusion detection than LIDS and it uses a
client/server model similar to SNMP
includes a server that gathers data from clients on
each network host and displays that data as a
Web page
Some standard services Big Brother will manage
are DNS, FTP, HTTP, POP3, SSH, Telnet, disk
space and memory usage
Using Intrusion Detection Software
Suggested use of intrusion detection tools:
Use nmap to scan the system after configuration
to check for security holes
Next use PortSentry to watch for outside hosts
trying to port scan the server
Use LIDS to secure your file system and
processes so that anyone who is able to gain
unauthorized access will have very limited power
Use Big Brother to keep a constant eye on
services that are provided on network servers
Index
Network scanning and packet-sniffing utilities
IDS -- Intrusion detection systems
Automated security audits
System Security Audits
The best way to test confidence in the
security of a Linux system is to perform a
security audit
Security audits are reviews or tests of how secure
the system is and what needs to be done to
improve its security
A security audit could take the form of:
A careful review of the security policy
Use of special security-auditing software
System Security Audits
One of the first security-auditing programs was
called Security Administrator Tool for Analyzing
Networks (SATAN)
The Security Administrator’s Integrated Network Tool
(SAINT) replaced SATAN
SAINT uses a Web browser interface to manage an
“attack” on a network and report vulnerabilities found
Other security audit tools are Tiger and SARA