Transcript Letian Li - Dr. John Durrett

Reconnaissance
& Scanning
By Letian Li
ISQS 6342 (Spring 2003)
Professor John Durrett
Reconnaissance
 Using a combination of tools and techniques to take
an unknown quantity of information and reduce it to a
specific range of domain names, network blocks, and
individual IP addresses of systems directly connected
to the Internet.





Low-Technology Reconnaissance
Search the Fine Web
Use search engines
Whois Databases
Domain Name System
Low-Technology Reconnaissance
 Social Engineering
 Computer users must be trained not give
sensitive information away to a friendly caller.
 Physical Beak-in
 A guard at the front door or a card reader
checks all employees coming into a given
facility.
 Dumpster Diving
 A well used paper shredder is the best
defense against dumpster diving.
Search the Fine Web (STFW)
 Searching an organization’s own web site
 The Fine Art of using search engines
 Listening in at the Virtual Watering Hole:
Usenet
Searching an organization’s own web
site
 Employee’s contact information with phone
numbers.
 Clues about the corporate culture and
language.
 Business partners.
 Recent mergers and acquisitions.
 Technologies in use.
The Fine Art of using search engines
 AltaVista
 Excite
 Google
Listening in at the Virtual Watering
Hole: Usenet
 Internet Usenet newsgroups are frequently
used by employees to share information and
ask questions.


Reveals sensitive information.
Web search engine such as
www.groups.google.com provides a massive
archive of an enormous number of
newsgroups.
Defenses against web-based
Reconnaissance
 Establishing policies regarding what type of
information is allowed in your own web
servers.

Avoid including information about the products
used in your environment, particularly their
configuration.
 Policy regarding the use of newsgroups and
mailing list by employees.

Avoid posting information about system
configurations, business plans, and other
sensitive topics.
Whois Databases: treasure Chests of
Information
 Whois Databases contain a variety of data elements
regarding the assignment of Internet addresses,
Domain names, and individual contacts.
 Researching .com, .net, and .org Domain Names.


A complete list of all accredited registrars is available
at www.internic.net/alpha.html.
www.internic.net/whois.html
 Allows a user to enter an organization’s name or
domain name.
 Researching Domain Names Other Than .com, .net,
and .org.

For organizations outside of the United States, a list
can find from www.allwhois.com/home.html.
IP Address Assignments through ARIN
 American Registry for Internet Numbers.


Contains all IP addresses assigned to
particular organization.
Users can access the ARIN whois database at
http://www.arin.net/whois/index.html.
 European IP address assignments can be
retrieved at www.ripe.net.
Defenses against Whois Searches
 Database information that is useful for
attackers should not be available to the public.
 Can we use some erroneous or misleading
registration information?


You can quickly and easily get the contact
information using whois searches.
The whois database information let us inform
an administrator that their systems were being
used in an attack.
Defenses against Whois Searches
 There rally is no comprehensive defense to
prevent attackers from gaining registration
data.
The Domain Name System
 DNS is a hierarchical database distributed
around the world that store a variety of
information, including IP addresses, domain
names, and mail server information.
 DNS servers store this information and
make up the hierarchy.
Interrogating DNS Servers
 nslookup command


Windows Nt/2000
Most variations of Unix
 host command

Included with most variations of UNIX
 dig command

Included with some UNIX variants
Defenses from DNS-Based
Reconnaissance
 Make sure you aren’t leaking information
unnecessarily through DNS servers.
 Restrict zone transfers.
 Use “split DNS” to limit the amount of DNS
information about your infrastructure.
We’ve got the registrar, now what?
 Names: Complete registration information
includes the administrative, technical, and
billing contact names.

An attacker can use this information to
deceive people in target organization during a
social engineering attack.
 Telephone numbers

The telephone numbers associated with the
contacts can be used by an attacker in wardialing attack.
We’ve got the registrar, now what? (cont.)
 Email addresses: this information will indicate
to an attacker the format of email addressed
used in the target organization.

The attacker will know how to address email
for any user.
 Postal addresses:

An attacker can use this geographic
information to conduct dumpster-diving
exercises or social engineering.
We’ve got the registrar, now what? (cont.)
 Registration dates:


Older registration records tends to be
inaccurate.
A record that hasn’t been recently updated
may indicate an organization that is lax in
maintaining their Internet connection.
 Name severs:

This incredibly useful field includes the
addresses for the Domain Name system
servers for the target.
General Purpose Reconnaissance Tools
 Sam Spade, a General-Purpose
Reconnaissance Client Tool.
One of the easiest to use and most
functional integrated reconnaissance suites
available today.
 Runs on Windows 9X, NT, and 2000.
 Available at www.samspade.org/ssw/

Sam Spade’s Capabilities
 Ping: This tool will send an ICMP Echo request




message to a target to see if it is alive and determine
how long it takes it to respond.
Whois: Conduct Whois lookups using default Whois
servers, or by allowing the user to specify which
Whois database to use.
IP Block Whois: Used to determine who owns a
particular set of IP addressed, using ARIN databases.
Nslookup: Querying a DNS server to find domain
name to IP address mapping.
DNS Zone Transfer: Transfers all information about a
given domain from the proper name serer.
Sam Spade’s Capabilities (cont.)
 Traceroute: Return a list of router hops between the
source machine and the chosen target.
 Finger: Supports querying a system to determine its
user list.
 SMTP VRFY: Determine whether particular email
addresses are valid on a giver email server.
 Web browser: Sam Spade’s built-in mini browser lets
its users view raw HTTP interaction, including all
HTTP headers.
General Purpose Reconnaissance Tools (cont.)
 Other client-based reconnaissance tools
similar to Sam Spade include:


cyberKit: A freeware tool fro Windows
available at
http://www.twpm.com/internet/downloads/cybe
rkit.htm
iNetScanTools: a feature-limited
demonstration tool from windows and
Macintosh, available at
www.wildpackets.com/products/inettools
Web-Based reconnaissance tools:
Research and Attack Portals
 www.samspade.org
 www.network-tools.com
 www.securityspace.com/
 www.grc.com/x/ne.dll?bhobkyd2
 www.doshelp.com/dostest.htm
 www.dslreports.com/r3/dsl/secureme
Scanning
 Scanning phase is akin to a burglar turning
doorknobs and trying to open windows to find
a way into your house. Common techniques
include:




War Dialing
Network Mapping
Port Scan
Vulnerability Scan
War Dialing
 A war-dialing tool automates the task of
dialing large pools of telephone numbers in
an effort to find unprotected modems.
 An attacker can scan in excess of a thousand
telephone numbers in a single night using a
single computer with a single phone line.
 More computers and phone line make the
scan even faster.
War Dialer vs. Demon Dialer
 A war dialer is a tool used to scan a large
pool of numbers to find modems and other
interesting lines.
 A demon dialer is a tool used to attack just
one telephone number with a modem,
guessing password after password in an
attempt to gain access.
 War dialing focuses in scanning a variety of
telephone numbers, while demon dialing
focuses in gaining access through a single
telephone number.
A Toxic Recipe: Modems, remote
Access Products, and Clueless Users
 By default, many of these remote control
products include no password for
authentication.
 Anyone dialing up to a system with war-dialer
installed has complete control over the victim
machine without providing even password.
 We can discover modems connected to
servers and routers that either request no
password or have a trivial-to-guess password.
Finding Telephone Numbers to Feed
into a War Dialer
 The phone book.
 The Internet.
 Whois databases.
 Your organization’s Web site.
 Social engineering.
War-Dialing Tools
 THC-Scan 2.0.


THC-Scan is one of the most full-featured,
noncommercial war dialing tool available today.
You can find it at
www.ussysadmin.com/modules.php?name=D
ownloads&d_op=search&query=
 l0pht’s TBA War-Dialing Tool

Available at www.l0pht.com
The War Dialer provides a List of
Lines with Modems: Now What?
 The attacker may find systems without
password. The attacker will connect to such
system, look through local files, and start to
scan the net work.
 If all of the discovered systems with modems
are password protected, the attacker will then
sort to password guessing.
Defenses against War Dialing
 Modem policy.
 Dial-out only?

While this technique works quite well, some
users have a business need that requires
incoming dial-up modem access.
 Find your modems before the attackers do.

Use a commercial war dialer.

www.sandstorm.net www.securelogix.com
 Desk-to-desk checks.
Network Mapping
 Network mapping" is the effort to map

Topology


Network devices


How network components are connected to
each other to build up the network.
Types, brands, versions etc.
Computers and services

Computers and their placement, vendors and
models of running O.S.'s, published services
Common Network Mapping
 Sweeping: Finding Live Hosts.
 Traceroute: What Are the Hops?
Sweeping: finding Live Hosts
 ICMP



Send an ICMP Echo Request packet to every
possible address.
If a reply comes back, that address has an
active machine.
But many networks block incoming ICMP
messages.
Sweeping: finding Live Hosts (cont.)
 TCP/UDP


An attacker could alternatively send a TCP or
UDP packet to a port that is commonly open,
such as TCP port 80.
If nothing comes back, there may or may not
be a machine there.
Traceroute: What Are the Hops?
 Tracerouting relies on the Time-To-Live (TTL) field in
the IP header.
 Start with a TTL of one. This process continues with
incrementally higher TTLs until reach the destination.

ICMP Time Exceeded message has the router’s IP
address.
 Most UNIX varieties include a version for the
traceroute program.
 Windows NT and Windows 2000 include tracert
program.
Cheops: A Nifty Network Mapper and
General-Purpose Management Tool
 Available at www.marko.net/cheops
 Runs Linux.
Defenses against Network Mapping
 Filter out the underlying messages that
mapping tools rely on.

At Internet gateway, block incoming ICMP
messages, except to hosts that you want the
public to be able to ping.
 Filter ICMP TIME Exceeded messages
leaving your network to stymie an attacker
using traceroute(tracert).
Determining Open Ports Using Port
Scanners
 Discover the purpose of each system and
learn potential entryways into your machines
by analyzing which ports are open.
 The attacker may focus on common services
like telnet, FTP, email.
 Free port-scanning tools:



Nmap, at www.insecure.org/nmap/.
Ultrascan.
Strobe.
Nmap: A Full-Featured Port Scanning
Tool
 A nice GUI for Nmap.
Common Type of Nmap Scans
 TCP Connect
 TCP SYN Scans
 TCP FIN, Xmas Tree, and Null Scans
 TCP ACK Scans
 FTP Bounce Scans
The Polite scan: TCP Connect
 Complete the TCP three-way handshake.
 Connect scans are really easy to detect.
 The web server’s log file will indicate that a
connection was opened from the attacker’s IP
address.
 Attackers often use stealthier scan techniques.
A Little Stealthier: TCP SYN Scans
 SYN scans stop two-thirds of the way through
the handshake.
 If the target port is closed, the attacker’s
system will receive either no response, a
RESET packet, or an ICMP Port unreachable
packet, depending on the target machine type
and network architecture.
 Benefits:


Stealthier. A true connection never occurs.
Speed.
Violate the protocol Spec: TCP FIN,
Xmas Tree, and Null Scans
 A FIN packet instructs the target system that
the connection should be torn down.


A closed port should respond with a RESET.
An open port will respond nothing.
 Xmas Tree and Null scan are similar to FIN
Scan.
 Unfortunately, this technique does not work
against Microsoft Windows-based systems.
Kicking the ball Past the Goalie: TCP
ACK Scans
Obscure the Source: FTP Bounce
Scans
 Some old FTP servers allow a user to connect to
them and request that the server send a file to
another system.
 Attacker opens a connection to a FTP server
supporting the bounce feature.
 The attacker’s tool requests that the innocent FTP
server open a connection to a given port in the target
system.
 Innocent FTP then will tell the attacker the status of
the port.
Don’t Forget UDP!
 UDP does not have a three-way handshake,
sequence numbers, or code bits.
 Packets may be delivered out of order, and
are not retransmitted if they are dropped.
 False positives are common during UDP scan.
Setting Source Ports for a successful
Scan
 TCP port 80 is a popular choice for a source
port, as the resulting traffic will appear to be
coming from a Web server using HTTP.
 Attackers also widely use TCP source port 25,
which appears to be traffic from an Internet
mail server using the SMTP protocol.
 Another interesting option involves using a
TCP source port of 20, which will look like an
FTP-data connection.
Defenses against port Scanning
 Harden your systems.
 Close all unused ports.
 For critical systems, delete the programs
associated with the unneeded service.
 Find the Openings before the Attackers Do.
 Scan your systems before an attacker does to
verify all ports are closed except those that
have a defined business need.
 Add Some Intelligence: Use Stateful Packet
Filters or Proxies.
Vulnerability Scanning Tools
 A vulnerability-scanning tool will automatically
check for the following types of vulnerabilities
on the target system:



Common configuration errors: Numerous
systems have poor configuration settings,
leaving various openings for an attacker to
gain access.
Default configuration weaknesses: default
accounts and passwords.
Well-known system vulnerabilities: new
security holes are discovered and published.
Vulnerability Scanning Defenses
 Again, close all unused ports and apply
patches to your systems.
 Run the Tools against Your Own Networks.


Use any one of the free or commercial tools.
Be careful with denial-of-Service and
Password Guessing Tests.



You could damage your systems if you
misconfigure the tools.
Be sure to disable Denial-of-Service attacks,
unless you specifically want them.
Password-guessing may lock out legitimate users.
Vulnerability Scanning Defenses
 Be aware of Limitations of Vulnerability
Scanning Tools.

These tools only check for vulnerabilities that
they know about.


You must be sure to keep the vulnerability
database up to date.
These tools don’t really understand the
network architecture.
Intrusion Detection System
 All of the scanning tools are incredibly noisy.

A robust vulnerability scan could send
hundreds of thousands or millions of packets
to the target network.
 A network-based IDS captures all data on the
LAN, gathering packets associated with
normal use of the network and attacks alike.
 By matching attack signatures in their
database, IDSs detect attacks.
Evade Network-Based Intrusion
Detection Systems
 Mess with the appearance of traffic so it
doesn’t match the signature.

Detection is based on signature matching, the
attackers can work hard to make sure their
attacks don’t look like the signatures checked
by the IDS.
IDS Evasion at the Network Level
 A large IP packet is broken down into a series of
fragments, each with its own IP header. To detect
attaches, IDS needs to store, reassemble and
analyze all of these fragments.
 Use fragments: Older IDS cannot handle fragment
resemble.
 Send a flood of fragments: tie up all of the memory
capacity of the IDS systems.
 Fragment the packets in unexpected ways: fragment
the packets in a variety of unusual ways.
IDS Evasion Defenses
 Don’t despair: Utilize IDS Where appropriate.
 Keep the IDS System up to date.
 Utilize both Host-Based and Network-Based
IDS.


A network-base IDS listens to the network
looking for attacks.
A host-based IDS run on the end system that
is under attack.
References
 Counter Hack, Ed Skoudis,Prentice-Hall,Inc. NJ,








2002
Hacking Exposed, McClure, Scambray, Kurtz,
McGrawHill, Chicago, 2001
http://www.internic.net/alpha.html
http://www.internic.net/whois.html
http://www.alldomains.com/404.html
http://www.arin.net/whois/index.html
http://www.ripe.net/
http://www.scit.wlv.ac.uk/~jphb/comms/dns.html
http://www.microsoft.com/technet/treeview/default.as
p?url=/technet/prodtechnol/windowsserver2003/prod
docs/entserver/sag_DNS_und_ZoneTransfers.asp
References (cont.)
 http://www.isaserver.org/tutorials/You_Need_to_Creat








e_a_Split_DNS.html
http://www.samspade.org/ssw/
http://www.freesoft.org/CIE/Topics/81.htm
http://www.austin.rr.com/rrsec/computer_ports.html
http://searchnetworking.techtarget.com/sDefinition/0,,
sid7_gci214184,00.html
http://www.marko.net/cheops/
http://www.insecure.org/nmap/
http://www.security.pipex.net/stateful.html
http://www.sei.cmu.edu/str/descriptions/firewalls_bod
y.html