Transcript Power Point - ECE Users Pages - Georgia Institute of Technology

Reconnaissance, Network
Mapping, and Vulnerability
Assessment
ECE4112 – Internetwork Security
Georgia Institute of Technology
1
Agenda
• Reconnaissance
• Scanning
• Network Mapping
• Port Scanning
•OS detection
• Vulnerability assessment
2
Reconnaissance
• Internet Network Information Center who-is
database www.internic.net/whois.html
• Registrar’s database i.e.
www.networksolutions.com
• American Registry for Internet Numbers (ARIN)
http://ww2.arin.net/whois/
• Domain Name System (DNS) nslookup
3
Reconnaissance
• After Recon, it is possible to know detailed
information about a potential target
• This information includes specific IP addresses
and ranges of addresses that may be further
probed.
4
Scanning
Objective 1: Network Mapping
Why: To determine what the network looks like logically.
How: Manually using tools like ping, traceroute, tracert, or with
tools like Cheops network mapping tool
5
Cheops-ng
Created by Mark Spencer for Linux systems, available at
http://www.marko.net/cheops/
Purpose: “To provide system administrators and users with
a simple interface to managing and accessing their networks.
Cheops aims to do for the network what the file manager did for
the filesystem.” This tool automates ping and traceroute.
6
Cheops-ng: What does it do?
• Finds active hosts in a network
• Determines the names of active hosts
• Discovers host operating systems
• Detects open ports
• Maps the complete network in a graphical format
7
Cheops-ng: How does it work?
• Utilizes ICMP “ping” packets to search a network for live hosts
• Domain Name Transfers (nslookup) are used to list hosts
• Invalid flags on TCP packets are used to detect the OS
• Half-open TCP connections are used to detect ports
• UDP packets with small TTL values are used to map network
8
Scanning
Objective 2: Port Scanning
Why: To find open ports in order to exploit them.
How:
• TCP Connect -- attempt to complete 3-way handshake, look for
SYN-ACK, easy to detect this scan
• TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send
RESET, target system will not record connection, also faster than
TCP connect scan
• TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol,
closed ports send RESET, open ports send nothing (Windows does
not respond to these scans)
9
Scanning
• TCP ACK Scan -- may be useful to get past packet filters
(believes it is a response to a request from inside firewall), if
receive RESET, know this port is open through firewall
• FTP Bounce Scan -- request that server send file to a victim
machine inside their network (most servers have disabled this
service)
• UDP Scan -- unreliable, if receive ICMP Port Unreachable,
assume closed, otherwise open
• Ping Sweep -- can use ICMP or TCP packets
10
Scanning
Additional objectives:
• Decoys -- insert false IP addresses in scan packets
• Ping Sweeps -- identify active hosts on a target
network
• Find RPCs -- connect to each open port looking for
common RPC services (send NULL RPC commands)
11
Scanning
Objective 3: Operating System Detection
Why: To determine what Operating System is in use in order
to exploit known vulnerabilities.
• Also known as TCP stack fingerprinting.
• Take advantage of ambiguity of how to handle illegal
combinations of TCP code bits that is found in the RFCs.
• Each OS responds to illegal combinations in different
ways.
• Determine OS by system responses.
12
OS detection
Window Size: Most Unix Operating Systems keep the window
Size the same throughout a session. Windows Operating
Systems tend to change the window size during a session.
Time to Live: FreeBsd or Linux typically use 64, Windows
Typically uses 128.
Do Not Fragment Flag: Most OS leave set, OpenBSD leaves
it unset.
13
Nmap: Network Exploration
Tool
Purpose: “To allow system administrators and curious
individuals to scan large networks to determine which
hosts are up and what services they are offering.”
Available at: http://www.insecure.org/nmap/
14
Nmap: What does it do?
• Port scanning
• OS detection
• Ping sweeps
15
Nmap: How does it work?
Use the following Scan techniques :
• UDP
• FIN
• TCP connect()
• ACK sweep
• TCP SYN (half open)
• Xmas Tree
• ftp proxy (bounce attack)
• SYN sweep
• Reverse-Identification
• IP Protocol
• ICMP (ping sweep)
• Null Scan
16
Nmap: How does it work?
• Uses the following OS detection techniques
• TCP/IP fingerprinting
• stealth scanning
• dynamic delay and retransmission calculations
• parallel scanning
• detection of down hosts via parallel pings
• decoy scanning
• port filtering detection
• direct (non-port mapper) RPC scanning
• fragmentation scanning
• flexible target and port specification.
17
Scanning Vulnerability
Assessment (1)
Objective 4: Vulnerability Assessment
Why: To determine what known (or unknown?)
vulnerabilities exist on a given network
Vulnerabilities come from:
• Default configuration weakness
• Configuration errors
• Security holes in applications and protocols
• Failure to implement patches!
18
Vulnerability Assessment
Vulnerability checkers use:
• Database of known vulnerabilities
• Configuration tool
• Scanning engine
• Knowledge base of current scan
• Report generation tool
19
Scanning tool: Nessus
Purpose: “To provide to the internet community a free,
powerful, up-to-date and easy to use remote security scanner.”
Security Scanner: “A software which will audit remotely a
given network and determine whether bad guys (aka 'crackers')
may break into it, or misuse it in some way.”
Available platforms: UNIX for client and server
Windows for client only
Available at: http://www.nessus.org/
20
Nessus: What does it do?
• Iteratively tests a target system (or systems) for known
exploitation vulnerabilities
• Uses a separate plug-in (written in C or Nessus Attack
scripting Language) for each security test
• Can test multiple hosts concurrently
• Produces a thorough vulnerability assessment report at the
conclusion of the vulnerability scan
21
What does Nessus check for?
• Backdoors
• Port scanners
• CGI abuses
• Remote file access
• Denial of Service
• RPC
• Finger abuses
• SMTP problems
• FTP
• Useless services
• Gain a shell remotely
• Windows
• Gain root remotely
• and more...
22
Scanning tool: Superscan4
(windows XP)
Purpose: “To provide to the internet community a free,
powerful, up-to-date and easy to use remote security scanner.”
Security Scanner: “Superior scanning speed, Support for
unlimited IP ranges, Improved host detection using multiple
ICMP methods , TCP SYN scanning , UDP scanning (two
methods), IP address import supporting ranges and CIDR
formats, Simple HTML report generation, Source port
scanning, Fast hostname resolving, Extensive banner grabbing ,
Massive built-in port list description database , IP and port scan
order randomization , A selection of useful tools (ping,
traceroute, Whois etc) ,Extensive Windows host enumeration
capability .”
23
Summary
• Reconnaissance
• Scanning
• Network Mapping
• Port Scanning
• OS detection
• Vulnerability assessment
25