Scanning - Dr. Stephen C. Hayne
Download
Report
Transcript Scanning - Dr. Stephen C. Hayne
Scanning
This presentation is an amalgam of presentations by Mark
Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
The Source!
“Network Scanning Techniques –
Understanding how it is done”
Author: Ofir Arkin
NETWORK SCANNING
Domain Controller
SCANNER
SCANNER
Internet
Gateway
wall
Mail Server
Database Server
Desktops
Internal Threats
External Threats
Web Server
Intro to Intelligence Gathering
Techniques
3 Major Steps
Foot Printing
Scanning
Enumeration
Similar to Military
Gather information on the target
Analyze weaknesses
Construct and launch attack
Footprinting
Construct a profile of the target site
Adminstrative, technical & billing
contacts from the ARIN database
(whois utility)
IP Address range
DNS Servers
Mail Servers
Firewalls
Scanning
Art of detecting which systems are alive
and reachable on the Internet
What services do they offer?
TCP/UDP running on each system
System architecture (Unix, Windows,
etc.)
OS version and patch levels
Enumeration
The process of extracting valid accounts
or exported resource names from
systems
Uses active connections to systems and
queries, therefore, more intrusive than
footprinting or scanning
OS specific
Gathers userid, group names, system
banners, routing tables, SNMP info
Intro to Scanning
What are scanners doing?
What do they look like(signature)?
How do they operate in order to
accomplish their tasks?
What kind of information is collected?
How serious is the threat?
Scanning: Ping Sweeps
ICMP Echo Requests(ICMP Type 8) to the
target and wait for ICMP Echo Reply (ICMP
Type 0)
Unix Tools
Windows
Fping, gping, nmap
Ping, pinger from Rhino9 (this is a extremely fast
scanner that sends multiple ICMP echo requests
concurrently
Defense: block ICMP echo requests
Scanning: Broadcast ICMP
Send ICMP Echo Request to broadcast
address on the subnets
Unix boxes will answer requests
directed to the network so we can
identify the Unix boxes using this
technique
Windows boxes won’t respond
Scanning: Non-ECHO ICMP
Use non-ECHO ICMP protocols to
bypass the ‘block ICMP echo’ filters
ICMP type 13 (TIMESTAMP) will query a
system for the current time
ICMP type 17 (Address Mask Request)
is used by diskless systems to obtain its
subnet mask at boot time.
Tools: icmpush, icmpquery
Scanning: TCP Sweeps
TCP SYN or TCP ACK packets sent to
the target network
telnet, FTP, HTTP, SMTP are the
common ports scanned
Firewalls can spoof the response so this
isn’t a reliable scanning method
Tools: nmap, hping (also allows packet
fragments to be sent)
Scanning: UDP Sweeps
Relies on the ICMP PORT UNREACHABLE
message which is sent by a closed UDP port
If not received, the port is assumed to be
open
Not reliable because:
Routers can drop UDP packets
Many UDP services don’t respond correctly
Firewalls usually drop UDP packets except DNS
Scanning: Port Scanning
Goal: determine what services are
running or in a LISTENING state
The services may suffer from
vulnerabilities
A number of port scan techniques
Port Scanning
TCP Connect() scan
SYN packet sent to target port
If SYN/ACK is received, port is active
If RST/ACK is received, port is dead
Finish the 3-way sequence by sending
an ACK then terminate the connection
Easily detected by looking at syslogs for
connection or error messages
Port Scanning
TCP Half Open Scan (SYN Scan)
Send the SYN packet to the target
If SYN/ACK received, the port is active
If RST/ACK received, the port is dead
We do NOT complete the connection
Advanced Port Scanning
Stealth Scanning techniques
Intentionally violate the 3-way handshake
SYN/ACK scan
FIN scan
XMAS scan
NULL scan
RFC 793 states that closed ports must reply
with a RST packet to our probe
Stealth Scanning
SYN/ACK scan
Send SYN/ACK to target (step 2 of the 3
way handshake)
TCP should respond with RST because it
figures this is a mistake
We get a response which tells us the port
is closed
Open ports do not send anything
Stealth Scanning
FIN scan
Send a FIN to the target
Wait for reply
Open ports will respond
XMAS scan
Send TCP packet with all TCP flags –
URG, ACK, PSH, RST, SYN, FIN set
Stealth Scanning
Null Scanning
Send TCP packet that turns off all flags
The target should send a RST to all closed ports
RFC 793 says this should work for every TCP
implementation
Windows, CISCO, BSDI, HP/UX, MVS, Irix are broken.
They send RST to open ports as well.
If FIN/NULL/XMAS scans show closed ports then
SYN scan them to find open ports. If they match,
you have one of the above systems.
Inverse Mapping
Gather info about hosts or networks which aren’t
there
We make assumptions about what is there
RESET Scan
Routers will give information on a net even if the
question doesn’t make sense
Routers will report non-existent addresses
No HOST UNREACHABLE or TIME EXCEEDED means
the IP exists
Inverse Mapping
Proxy Scanning/FTP Bounce Scanning
Attacker.com connects to FTP server which has a
world writable directory and opens a control
connection
Attacker can then ask the FTP server to initiate an
active server data xfer process to send a file
anywhere on the net. Hobbit’s paper has more
details
Use to scan behind a firewall
Port Scanning Techniques
TCP Reverse Ident Scanning
Ident protocol (RFC 1413) determines the
owner of a TCP connection by communicating
on port 113
Full TCP connection to the host
Slow scan
Defeats IDS that look for lots of connection in a
short period of time.
Typical scan rate: 2 ports/day
Port Scanning Techniques
Fragmentation Scanning
All IP packets can be fragmented
RFC 791 defines the min/max fragment size
8 octets (min frag size) are enough to contain
the src/dst port numbers
This forces the TCP flags field into the second
fragment
Port Scanning Techniques
Fragmentation Scanning
Some filters/IDS may incorrectly reassemble or
completely miss portions of the scan
Filters that queue all IP fragments can handle
this method
Fixed in most vendor’s products
Port Scanning Techniques
Decoy Scanning
The target net thinks the hosts you specify
as decoys are scanning them also
Makes it impossible to determine who the
real scanner is
Signature: TTL field usually contained the
same number
Nmap bypasses this error
Traceroute the source IP
Port Scanning Techniques
Coordinated Scans
Multiple IP’s used in the scan
Each one of them probes specific ports in a
different time period, different scan rate
Detection depends on the time period the
probes take place
Coordinated scans are the most discrete way of
probing a target
Operating System Detection
Banner Grabbing
FTP/IIS
Telnet banners identify the OS version
SYST command
DNS HINFO Record
Pair of strings identifying the host’s HW
Operating System Detection
TCP/IP/Stack Fingerprinting
Uses distinct variation in TCP stack
implementation to get the OS type
Send specific TCP packets to target and
observe the response
Varies with vendor because they interpret the
RFC differently when they wrote their TCP
stacks
Operating System Detection
FIN packet sent to open port. RFC 793 says
“don’t respond to the FIN”.
Many stacks will respond with a RST.
Windows, BSDI, CISCO, HPUX, MVS, Irix do
this.
Operating System Detection
Bogus Flag Probe
SYN packet with undefined flag is sent
Linux < 2.0.35 will keep the flag in their response.
Other OS will RST the connection
TCP ISN sampling
Find pattern of the ISN
Traditional 64K (older Unix)
Random Increment (FreeBSD, DGUX, Irix, newer
Solaris)
True Random (linux)
Time Dependent Modules (MS Windows)
Operating System Detection
Don’t Fragment Bit
Some OS use this bit to enhance performance
TCP Initial Window
Some OS stack implementations have a unique
initial window size on their returned packets
AIX returns Ox3F25, OpenBSD, FreeBSD use
0x402E
Operating System Detection
ACK Value
Some IP stacks differ in the value they use for
the ACK field
Send FIN/PSH/URG to a closed port. Most
implementation will set the ACK number in the
returned packet to be the same as the
sequence number received.
Windows responds with ACK=Sqn#+1
Operating System Detection
ICMP Error Message Quenching
RFC 1812 suggests limits on various error
message rates. Only a few OS follow the RFC.
Send UDP packets to random, high, UDP port
and count the number of unreachable
messages received within a given amount of
time.
Operating System Detection
ICMP Message Quoting
ICMP error messages should quote a small
amount of info from the ICMP message that
caused the error.
Example: Host unreachable
This is quoted when the PORT UNREACHABLE
message is received in the IP Header + 8 bytes.
Solaris and Linux provide more info than is
needed
Operating System Detection
ICMP Error Message Echoing Integrity
Some OS stack implementations alter the IP
header when sending back an ICMP error
message.
Another way to target an OS.
ICMP Type of Service
ICMP PORT UNREACHABLE TOS field
Linux uses 0xC0 for this value. All others use 0.
Operating System Detection
Fragmentation Handling
Different stack implementations handle
overlapping fragments differently.
TCP Options
RFC 793, RFC 1323 define TCP options. Not all
OS implement host options.
Send query with option set. Target sets the
option only if it supports it. Some OS support
advanced options, others don’t.
Banner Checks
Check the service output retrieved during TCP
port scan for version number
220 mail.domain.com ESMTP Sendmail 8.6.1/8.6.1,
the version number indicates a vulnerability.
Banner checks cannot always determine whether
a vulnerability has been patched
Vulnerabilities that can be detected by banner checks include:
– SMTP (Sendmail, MMDF, Lotus Domino, etc.)
– POP/IMAP
– FTP (wu-ftpd, etc.)
– SSH
– INN
URL CHECKS
Check for vulnerabilities in specific programs on
web server:
You can try to exploit the vulnerability:
Check whether specially crafted URL returns contents of some
file which is known to reside on the server.
Or just see if the file exists on the web server:
Check whether URL returns 200 OK response.
Firewalking
A technique used to gather information
about a remote network protected by a
firewall.
2 purposes
Determine the ACL of a FW by mapping open
ports on the FW.
If FW drops ICMP ECHO request/reply, this
technique is effective
Firewalking
Uses traceroute style packet filtering to
determine whether the packet passes
through the FW.
Need 2 pieces of info
IP of last known gateway BEFORE the FW. This
is our waypoint.
IP of host located behind the firewall.This is
used as a destination to direct packet flow.
Firewalking
If we traceroute a host behind the FW and get
blocked by the ACL, we find the FW.
We then try to traceroute same host using
different transport protocol (TCP, UDP, ICMP). If
we get a response, 2 possible conclusions:
This particular traffic is allowed by the FW.
We know a host exists behind the FW.
Trying to pass packets on all ports/protocols
through the FW, monitor the response will
produce the ACL. Use slow scan to avoid
detection! Send packets to all hosts inside the net.
War Driving
With a laptop and wireless card, an attacker can drive down
the street and join many wireless LANs!
Windows Tools:
Linux Tools:
NetStumbler
WinPcap
Airsnort
WEPCrack
More here
War Chalking
Retina
)(
1.5
Variant of “hobo” language
Key:
SSID
() – closed, )(– open
Bandwidth
War Driving Defenses
Use Virtual Private Network (VPN)
All data from end system to VPN
gateway inside of wireless device
encrypted and authenticated
SLAN is a freeware VPN on Linux or
Windows:
http://slan.sourceforge.net
Allow connection to specific MACs
Conclusions
Understanding the importance of
detecting these scans could prevent
intrusions to the scanned systems.
Use an IDS to gather scan signatures.
Develop filters for these scans