Transcript Scanning

電腦攻擊與防禦
The Attack and Defense of Computers
Dr. 許 富 皓
Tracerouting
Tracerouting
After identifying potential networks, we can
attempt to determine their
network topology
potential access paths into the network.
Tools
Unix: traceroute.
Windows: tracert.
Traceroute - Function
Allow a user to view the route that an IP
packet follows form one host to the next.
traceroute - Principle
traceroute uses the TTL option in the IP
packet to elicit an ICMP TIME_EXCEEDED
message from each router (TTL field is also a hop
counter).
The first packet sent by traceroute has a TTL
value 1, the second packet sent has a TTL value
2, … and so on.
When a UDP packet is used as a probing packet,
usually it uses port number greater than 30000 as
it destination port number which is rarely used by
applications; hence, when the probed host receives
the probing packet, an ICMP port unreachable
packet will be sent back to the traceroute.
traceroute - Interference
Access control devices (such as an applicationbased firewall or packet-filtering routers) may
filter out traffic.
traceroute – Where Is the
Router?
Generally, once you hit a live system on a network,
the system before it is a device performing routing
functions (for example, a router or a firewall.)
traceroute – Multiple Routing
Paths
In a complex environment:
There may be multiple routing paths– that is,
routing devices with multiple interfaces or load
balancers.
Each interface may have different access
control list (ACLs) applied.
In many cases, some interfaces will pass your
traceroute requests, whereas others will
deny them because of the ACL.
traceroute – Build an Access
Path Diagram
After you traceroute to multiple
systems on the network, you can begin to
create a network diagram that depicts the
architecture of the Internet gateway and the
location of devices that are providing access
control functionality.
The diagram is referred to as access path
diagram.
traceroute Exploring Packets
Most flavors of traceroute in UNIX default to
sending UDP packets, with the option of using
ICMP packets with –I switch.
In Windows, however, the default behavior is to
use ICMP echo request packet.
Therefore, your mileage may vary using each tool,
if the site blocks UDP verses ICMP and vice
verse.
Bypassing Access Control Device
-P n option.
-S switch
UDP port 53 is a good starting port number,
because many sites allow inbound DNS queries
(using UDP port 53), there is high probability that
the access control device will allow the probes
through.
However, it the target really is listening on UDP port 53,
you will not receive a normal ICMP unreachable
message back. Therefore, you will not see a host
displayed when the packet reaches its ultimate
destination.
Using TCP Packets to Find the Routes
Because the TTL value used in tracerouting is in the IP
header, we are not limited to UDP or ICMP packets.
Literally any IP packet could be sent.
Some tools are developed to provide alternate
traccerouting techniques to get probes through firewalls
that are blocking UDP and ICMP packets
Two tools that allow for TCP tracerouting to specific ports are the :
• tcptraceroute
• Cain & Abel
tcptraceroute - Bypass
Firewall Filters
tcptraceroute is a traceroute
implementation using TCP packets.
As mentioned in the previous slide, many firewalls
filter out UDP and ICMP packets. However, in
many cases, these firewalls will permit inbound
TCP packets to specific ports that hosts sitting
behind the firewall are listening for connections on.
By sending out TCP SYN packets instead of UDP
or ICMP ECHO packets, tcptraceroute is
able to bypass the most common firewall filters.
tcptraceroute It is worth noting that tcptraceroute never
completely establishes a TCP connection with the
destination host.
If the host is not listening for incoming connections, it
will respond with an RST indicating that the port is
closed.
If the host instead responds with a SYN|ACK, the port
is known to be open, and an RST is sent by the kernel
tcptraceroute is running on to tear down the
connection without completing three-way handshake.
tracerouting Countermeasure – IDS
and IPS
Depending on your site’s security paradigm, an
administrator may be able to configure her/his
border routers to limit ICMP and UDP traffic
systems, thus minimizing your exposure.
Deploy Network Intrusion Detection System
(IDS) and Intrusion Prevention Systems (IPS)
that will detect this type of network
reconnaissance.
One of the best free NIDS programs – Snort, by
Marty Roesch – can detect this activity.
tracerouting Countermeasure RotoRouter
Humble from Rhino9 developed a program called
RotoRouter. This utility is used to log
incoming traceroute requests and generate
fake responses.
Scanning
Comparison between Footprintng
And Scanning
If footprinting is the equivalent of casing a place
for information, then scanning is equivalent to
knocking on the walls to find all the doors and
windows.
During footprinting, malicious users can obtain a
list of IP network blocks and IP address.
Scanning wants to determine what systems are
listening for inbound network traffic (a.k.a. alive)
and are reachable from the Internet.
Purposes of Scanning and
Corresponding Tools
Determining if the system is alive:
Ping sweeps
•
•
•
•
ICMP sweeps (ICMP ECHO requests)
Broadcast ICMP
Non-ECHO ICMP
TCP/UDP Sweeps
Determining which services are running or
listening:
Port Scanning.
Detecting the Operating System:
Active OS fingerprinting.
Passive OS fingerprinting.
Ping Sweeps
ICMP ECHO Requests
One of the most basic steps in mapping out a
network is performing an automated ping sweep
on a range of IP addresses and network blocks to
determine if individual devices or systems are
alive.
One of the ping sweep tools used by malicious
users for the above purpose is “ping” .
Ping sends ICMP ECHO request (Type 8)
packets to a target system in an attempt to elicit an
ICMP ECHO reply (Type 0) indicating the target
system is alive.
fping
One of the techniques of performing ping sweeps
in the UNIX world.
fping is a ping(1) like program which uses the
Internet Control Message Protocol (ICMP) echo
request to determine if a host is up.
fping is different from ping in that you can
specify any number of hosts on the command line,
or specify a file containing the lists of hosts to
ping.
fping - Example
Example:
[root]$cat in.tex
192.168.51.1
192.168.51.2
192.168.51.3
:
192.168.51.253
192.168.51.254
[root]$ fping –a –f in.txt
192.168.1.254 is alive
192.168.1.227 is alive
192.168.1.224 is alive
:
192.168.1.3 is alive
192.168.1.2 is alive
192.168.1.1 is alive
192.168.1.190 is alive
fping – Increase Scanning Rate
Instead of trying one host until it timeouts or
replies, fping will send out a ping packet and
move on to the next host in a round-robin fashion.
If a host replies, it is noted and removed from the list of
hosts to check.
If a host does not respond within a certain time limit
and/or retry limit it will be considered unreachable.
Unlike ping, fping is meant to be used in scripts and
its output is easy to parse.
SuperScan
For the Windows-inclined.
Other Tools
Ping Sweep
WS_Ping ProPack
NetScan Tools
Broadcast ICMP - Principle
Sending ICMP ECHO request to the network
broadcast addresses will produce all the
information you need for mapping a targeted
network in even a simpler way.
The request will be broadcast to all alive hosts on
the target network, and they will send ICMP
ECHO reply to the attacker source IP after only
one or two packets have been sent by him.
Broadcast ICMP – Unix vs.
Windows Platforms
Here we can first distinguish between Unix
and Windows machines.
While Unix machines often still answer to
requests directed to the network address (the
answer will be the fully qualified network
address)
Windows machines will ignore it.
Using Non-ECHO ICMP Packets
for Ping Sweep
Non-ECHO ICMP packets can also be used
to perform ping sweeps.
Examples
• ICMP type 13 messages (TIMESTAMP)
• ICMP type 17 messages (ADDRESS MASK
REQUEST)
Functions of Non-ECHO ICMP
Packets
ICMP timestamp request and reply allow a
system to query another for the current time.
The ICMP address mask request (and
reply) is intended for diskless systems to
obtain its subnet mask at bootstrap time.
People can use it to request the netmask of a
particular device.
Non-ECHO ICMP Ping Sweep
Tools
We can use the icmpush & icmpquery
tools to perform this kind of scanning.
Many firewalls are configured to block only
ICMP ECHO traffic, and in this case it makes the
non-ECHO requests a valid form of host
identification.
What Will Happen, If ICMP Is
Blocked by Target Site? (1)
It is not uncommon to come across a securityconscious site that has blocked ICMP at the
border router or firewall.
Although ICMP may be blocked, some addition
tools and techniques can be used to determine if
systems are actually alive. However, they are not
as accurate or as efficient as a normal ping sweep.
What Will Happen, If ICMP Is
Blocked by Target Site? (2)
Typically, pinging heavily utilizes ICMP (Internet
Control Message Protocol) packets, even though
they are not the only packet types available for
network pinging.
Either TCP or UDP provides alternative approach
to perform ping sweeps to find if a host is alive on
the network.
When ICMP traffic is blocked, TCP/UDP sweep
is the first alternate technique to determine live
hosts.
TCP Sweeps
TCP Sweeps – Packets and Ports
Used
A scanner sends a SYN packet to the target:
If the target is alive, then the scanner will receive:
• SYN/ACK (the port is open.)
• RST (the port is close.)
With the TCP Sweep technique, instead of sending ICMP
ECHO request packets we send TCP ACK or TCP SYN
packets (depending if we have root access or not) to the
target network. The port number can be selected to meet
our needs. Usually a good pick would be one of the
following ports – 21 / 22 / 23 / 25 / 80 (especially if a
firewall is protecting the targeted network). Receiving a
response is a good indication that something is up there.
TCP Sweeps - Drawbacks
The response depends on the target’s
operating system, the nature of the packet
sent and any firewalls, routers or packetfiltering devices used.
Bear in mind that firewalls can spoof a
RESET packet for an IP address, so TCP
Sweeps may not be reliable.
nmap
A powerful network reconnaissance tool.
[root] nmap –sP 192.168.1.0/24
Starting nmap V. 3.70 by [email protected] (www.insecure.org.nmap)
Host
(192.168.1.0) seems to be a subnet broadcast
Address (returned 3 extra pings)
Host
(192.168.1.1) appears to be up.
Host
(192.168.1.10) appears to be up.
Host
(192.168.1.11) appears to be up.
Host
(192.168.1.15) appears to be up.
Host
(192.168.1.20) appears to be up.
Host
(192.168.1.50) appears to be up.
Host
(192.168.1.101) appears to be up.
Host
(192.168.1.102) appears to be up.
Host
(192.168.1.255) seems to be a subnet broadcast
Address (returned 3 extra pings).
Nma run completed – 256 IP addresses (10 hosts up) scanned in 21 seconds.
UDP Sweeps
UDP Sweeps (a.k.a. UDP Scans)
This method relies on the ICMP PORT
UNREACHABLE message, initiated by a
closed UDP port.
If no ICMP PORT UNREACHABLE
message is received after sending a UDP
datagram to a UDP port that scanners wish
to examine on a targeted system, they may
assume the port is opened.
Drawbacks of UDP Sweeps
UDP scanning is unreliable because of a number
of reasons:
Routers can drop UDP packets as they cross the
Internet.
Many UDP services do not respond when correctly
probed.
Firewalls are usually configured to drop UDP packets
(except for DNS).
UDP sweep relies on the fact that a non-active UDP
port will respond with an ICMP PORT
UNREACHABLE message.
Port Scanning
Ping Sweeps vs. Port Scanning
Ping Sweeps help malicious users identify which
systems are alive. The next step is trying to
determine what services (if any) are running or in
a LISTENING state on the targeted system, by
connecting to the TCP and UDP ports of that
system. This is called – Port Scanning.
For the hacker it is critical to identify listening
ports, because it helps her/him further identify the
operating system and application in use.
Service Detection and Attacks
The services detected as listening may suffer
from vulnerabilities which may result from
two reasons:
Misconfiguration of the service
The version of the software is known to have
security flaws
If identified, these vulnerabilities can lead to
privileged access gained by the attacker.
Port Scanning
TCP connect() scans
TCP SYN scans (half open scanning)
Stealth Scans:
Explicit Stealth Mapping Techniques
•
•
•
•
SYN/ACK scans
FIN scans
XMAS scans
NULL scans
Proxy Scanning/ FTP Bounce Scanning
Idlescan
TCP connect() scans
With this type of scan, a scanner uses the basic TCP
connection establishment mechanism to open a connection
to an interesting port on the targeted machine:
A SYN packet is sent to the target’s system interesting port.
Now we wait to see what type of packet is sent back from the
target.
• If a SYN/ACK packet is received it usually means the port is in a
LISTENING state.
• If a RST/ACK packet is received, it usually means the port is not
LISTENING and the connection will RESET.
We finish the three-way handshake (if SYN/ACK packet was
received) by sending an ACK.
A connection is terminated after the full connection establishment
process has been completed.
Drawbacks of TCP connect()
scans
Time-Consuming.
This kind of scan is easily detected. Inspecting the
target system log will show a number of connections
and error messages immediately after each one of
them was initiated.
TCP SYN Scans (Half Open
Scanning)
This type of scan differs from TCP connect()
scan because scanners do not open a full TCP
connection. They send a SYN packet to initiate the
three-way handshake and wait for a response.
If scanners receive an SYN/ACK it indicates the port is
LISTENING.
• If they do receive a SYN/ACK packet they immediately tear
down the connection by sending a RESET.
If scanners receive an RST/ACK it indicates a nonLISTENING port.
Advantages of TCP SYN Scans
More quickly than TCP connect() scan.
Because the TCP three-way handshake was
not completed some of the sites will
probably not log these scanning attempts.
Stealth Scan
“Stealth” can also be defined as a scanning
technique family, doing one of the
following:
Pass through filtering rules.
Not to be logged by the targeted system logging
mechanisms.
Try to hide themselves at the usual site /
network traffic.
An Important Rule in RFC 793
(TCP)
According to RFC 793 closed ports are
required to reply with a RESET packet to
our probe packets, while open ports must
ignore any packet in question.
SYN/ACK Scans – Packets Being
Sent
This scan intentionally disregards the TCP
three-way handshake.
Scanners send a SYN/ACK packet, which
is step two in the TCP three-way handshake,
while there is no SYN packet sent for step
one.
SYN/ACK Scans
Sending SYN/ACK packet to a closed port:
Because TCP is stateful, it knows no SYN has been
sent, which is the first step in the three-way TCP
handshake. TCP figures this packet must be a mistake
and sends a RESET to tear down the connection. This
is what scanners wished for – any kind of response to
give away the existence of the system and the fact that
the probed port is closed.
If scanners send the SYN/ACK to an open port, it will
ignore any such packet.
FIN Scanning
This technique sends erroneous packets at a
port, expecting that open listening ports will
send back different error messages than closed
ports.
The scanner sends a FIN packet, which should
close a connection that is open.
Closed ports reply to a FIN packet with a RST.
Open ports, on the other hand, ignore the packet in
question.
The above responses are required TCP behavior.
Drawback of FIN Scanning
According to the previous slide, no response
to the FIN probe packet to a port X is
explained as that X is an open port.
Therefore, silence indicates the presence of a
service at the port.
However, since packets can be dropped
accidentally on the wire or blocked by
firewalls, this isn't a very effective scan.
XMAS (Christmas Tree)
XMAS is a scanning type, which sends a
TCP packet with the URG, ACK, PST,
RST, SYN and FIN flags set. All the TCP
flags are set.
Closed ports  RESET packets.
Open ports  no response packets
• P.S.: The above behavior is defined in RFC 793;
however, some OSs’ implementation may not follow
the above rules.
Null Scans
Null scan is a scanning type, which sends a
TCP packet that turns off all flags.
Closed ports  RESET packets.
Open ports  no response packets
According to RFC 793 this should work against
every implementation of TCP regardless of the
operating system it runs on. Life is not always
simple. Windows, CISCO, BSDI, HP/UX, MVS &
IRIX have a broken TCP implementation – they
send RESETs to open ports as well.
Properties of FTP Protocol
The FTP protocol supports the following
scenario:
attacker.com connects to an FTP server,
which has a world writable directory, and
establishes a control communication connection.
The attacker can then ask the FTP server to
initiate an active server data transfer process
and send a file anywhere on the Internet,
presumably to a user data transfer process.
Proxy Scanning/FTP Bounce Scanning
Redirect the scanning traffic to a target port, then
If the transfer is successful (150 and 226
response), the target host is listening on the
specified port scanned.
Otherwise, a “425 Can’t build data connection:
Connection refused” message will be received.
Commonly Adopted Port Scanning
Signatures
Several packets to different destination ports
from the same source address within a short
period of time.
SYN to a non-listening port.
Obviously, there are many other ways to detect
port scans, up to dumping all the packet headers
to a file and analyzing them manually.
P.S.: It is always possible for an attacker to make her
attack either very unlikely to be noticed, or very
unlikely to be traced to its real origin, while still
being able to obtain the port number information.
Port Scanning Techniques to Avoid
Being Detected
Random port scan.
Slow scan.
Fragmentation scanning.
Decoy.
Coordinated scans.
Random Port Scan
Many commercial intrusion detection
systems and firewalls are looking for
sequential connection attempts. When the
pattern is matched a port scan is reported.
Randomizing the sequence of ports probed
may prevent detection.
Slow Scan – Site Detection
Threshold
Intrusion detection systems can determine if
a specific IP tries to port scan the network
they are defending. It is done by analyzing
the network traffic over a certain amount of
time.
The amount of time is called the site
detection threshold.
Slow Scan
Some hackers are very patient and can use network
scanners that spread out the scan over a long period
of time.
The scan rate can be, for example, as low as 2 packets per
day per target site.
If the attacker can guess the detection threshold of
its target, he can reduce the chances of detection to
a minimum or even to no detection at all, as long as
he doesn’t include a signature with his packet that
alerts the intrusion detection system in other way.
Fragmentation and IDS
All IP packets that carry data can be
fragmented.
Some filtering devices and intrusion
detection systems may incorrectly
reassemble or completely miss portions of
the scan. They may assume that this was
just another segment of traffic that has
already passed through their access list.
Fragmentation Scanning Countermeasure
Filtering devices that queue all IP
fragments can handle this method.
Linux is a good example with the
CONFIG_IP_ALWAYS_DEFRAG kernel
option.
Some networks cannot afford the performance
hit this causes and disable this feature.
This kind of scan has been fixed in most
vendors’ products.
Decoy
Some network scanners include options for
Decoys or spoofed addresses in their attacks.
It would appear to the attacked network/host that
the host(s) you specified as decoys are scanning
them as well. This will drive intrusion detection
systems into thinking that the target network is
being port scanned by all the hosts, and
determining who the real attacker is, will be nearly
impossible.
Anti-Decoy
One way that helped intrusion detection
systems detect the decoy hosts in the past
was the TTL (Time to Live) field values in
the scanned packets.
If all the incoming packets TTL values
have the same value, it is likely that they
were generated in the same “factory”.
Weaknesses of Previous Scan
Methods
Probing a few target systems from a single
IP within a certain amount of time will
usually turn on the alarm of the intrusion
detection systems.
We have already discussed a way to try to
bypass this – using slow scans. But even a
slow scan can sometimes be detected.
Coordinated Attacks
When a group of attackers are working
together to achieve a common goal, trying
to get unauthorized access on a targeted
network for example, we call this –
coordinated attacks.
Coordinated attacks can be used to target a
single host or even an entire network.
Coordinated Scans
If multiple IPs probe a target network, each
one of them probes for a certain service on a
certain machine in a different time period,
and therefore it would be nearly impossible
to detect these scans.