Transcript Document
Network Reconnaissance and
Enumeration
Section 3
7/17/2015
Outline – Passive Enumeration
• ARP
• Network Sniffing
7/17/2015
Outline – Active Enumeration
•
•
•
•
•
•
•
•
Ping
Traceroute
Port/Service Scanning
Banner Grabbing
OS Fingerprinting
Firewalking
SNMP
Routing Daemons
7/17/2015
Objective
• Targeted Network Reconnaissance
–
–
–
–
–
–
Network topology
Host systems
Host applications/services
Host configuration
Host users accounts
Naming conventions
7/17/2015
Passive Enumeration
• Generally LAN based
• Generally undetectable
7/17/2015
ARP Enumeration
• All systems with IP stacks will have ARP
• Local ARP table contains a list of all MAC
addresses mapped to IP addresses
• First 6 bytes of MAC address identify
card/system vendor (e.g)
– 00067Cxxxxxx : Cisco
– 080020xxxxxx : Sun
• ARP mappings are gathered and released
automatically by the system
7/17/2015
ARP Enumeration
• Use the ‘arp -a’ command to get access to the
local ARP table
C:\>arp -a
Interface: 158.177.248.190 on Interface 4
Internet Address
Physical Address
Type
158.177.248.1
00-00-0c-07-ac-02
dynamic
158.177.248.2
00-d0-d3-38-68-08
dynamic
158.177.248.3
00-d0-d3-36-08-84
dynamic
158.177.248.191
00-d0-59-05-d2-13
dynamic
7/17/2015
Network Sniffing
• Placing a network adapter in ‘promiscuous
mode’ enables the reception of all network
traffic passing the adapter.
• Most effective on non-switched networks
• Even on switched networks all broadcast
traffic may be received
• No valid IP address required
7/17/2015
Network Sniffing – What do we
get?
• MAC addresses
• IP addresses and IP structure
– RIP, OSPF packets
• System names
– NetBIOS broadcasts
– Cisco Discovery Protocol
– IPX service announcements
• Default gateways
• Not to mention usernames, passwords and
data…but more on that later
7/17/2015
Network Sniffing – The Tools
• Windows
– NetMon (Microsoft)
– Sniffer Pro (NAI)
– Tcpdump + winpcap (GPL)
• UNIX
– Tcpdump (GPL)
– Etherreal (GPL)
– Dsniff (more attack than recon – GPL)
7/17/2015
Network Sniffing - Filtering
• On high throughput networks use capture filters
– Whole packet is usually not needed – just headers
and start of data portion
– Any IP or TCP/UDP protocol may be included or
excluded from a capture filter
– ‘Noisy’ addresses may be filtered out
• All network sniffing tools support filtering to
some degree
• For extended periods of sniffing filters will be
essential
7/17/2015
Network Sniffing - tcpdump
• Console based, highly configurable, low resource
usage.
7/17/2015
Network Sniffing – Ethereal
7/17/2015
Active Enumeration
• Can yield a great deal of data
• Can be detected
• May require specialised software/OS
7/17/2015
The Mighty Ping
• Used to determine host reachability
• Nearly all systems with an IP stack have a
ping facility
• Uses the ICMP protocol
• Provides
– Round trip time (RTT)
– Time to live (TTL) – indicates hop-count
• Generally unnoticed if used in moderation
7/17/2015
Ping test
H
A
C
K
E
R
ICMP Echo Request
ICMP Echo Response
7/17/2015
T
A
R
G
E
T
Ping - Usage
• Ping is used on one system at a time
• It is possible to ping a broadcast address,
sometimes multiple responses are returned
C:\>ping 158.177.248.1
Pinging with 32 bytes of data:
Reply from : bytes=32 time=1ms TTL=255
Reply from : bytes=32 time=1ms TTL=255
Reply from : bytes=32 time=1ms TTL=255
Reply from : bytes=32 time<10ms TTL=255
Packets: Sent = 4, Received = 4, Lost = 0
(0% loss)
RTT: Minimum = 0ms, Maximum = 1ms, Average
7/17/2015
= 0ms
Ping – Sweeping
• Ping-sweeping is a term for sweeping
multiple addresses with a ping query to
determine host reachability.
• Used for finding targets within a network
range.
• Will not work on targets that have ICMP
traffic filtered or blocked.
• Tools such as NMAP, MingSweeper and
Pinger will perform a ping-sweep.
7/17/2015
More with ping
Identifying the Firewall
Good commercial firewalls block time stamp requests
and source routed packets. Use ping to send them, and
it will show there is a firewall in the way
# ping -v -T tsandaddr 10.0.0.120
PING 10.0.0.120 (10.0.0.120) from 10.0.0.1 : 56(124) bytes of data.
--- 10.0.0.120 ping statistics --16 packets transmitted, 0 received, 100% loss
# ping -v -T tsandaddr 10.0.0.125
PING 10.0.0.125 (10.0.0.125) from 10.0.0.1 : 56(124) bytes of data.
--- 10.0.0.125 ping statistics --8 packets transmitted, 0 received, 100% loss
7/17/2015
More fun with ICMP
Identifying the Firewall
W Richard Stevens – a god amongst men and author of
TCP/IP Illustrated etc left us with the ability to to
generate ICMP address mask requests and ICMP time
requests
# icmpaddrmask 10.0.0.120
Received mask fffff00, from 10.0.0.120
#
7/17/2015
Traceroute
• Used to determine both connectivity AND the IP
route used to reach the target.
• Available on most but not all systems that have
an IP stack.
• Relies on the fact that routers should always
decrement the TTL of a packet as it passes.
• Generally uses ICMP packets on Windows and
UDP packets on UNIX systems. However any IP
protocol could be used in theory.
7/17/2015
Traceroute - Visual route
Probably the
Firewall or
the perimeter
router
7/17/2015
Port/Service Scanning
• Used to determine what TCP or UDP ports are
available on a target system.
• The scanner will attempt to connect to each port
on the target.
• The scanner should detect the port in one of three
states:
– Closed – port reachable but no service present
– Open – port is reachable and service is present
– Filtered – port is non-reachable, possible firewall or
packet filter is present
7/17/2015
Background to TCP scanning
• Determine what ports of a host are
listening for connections
• 4 main types of TCP scans
1. TCP connect()
2. SYN scan
3. FIN scan + Null + ACK + XMAS
4. Fragmentation scanning
7/17/2015
TCP Connect Scan
• Uses a system call provided by the
operating system
• If the port is listening, connect will
succeed
• Does not require any special privileges
• Easily detectable
• Most reliable
• Cannot usually detect filtered ports
7/17/2015
TCP Connect
• The Three-way handshake
Syn
C
L
I
E
N
T
Syn/Ack
Ack
7/17/2015
T
A
R
G
E
T
SYN Scan
•
•
•
•
•
•
•
Commonly referred to a half open scanning
Sends a SYN packet and waits for a response
A SYN/ACK response indicates port is listening
A RST packet indicates the port is not listening
Less likely to be logged
No response indicates port is filtered
Requires raw sockets requiring root or
Administrator privileges
• Some IDS confuse this with a SYN flood
7/17/2015
FIN Scan + Null + XMAS
• More stealthy than a SYN scan
• Reply with a proper RST packet indicates
that the port is closed
• Open ports tend to ignore the FIN packet
• However Microsoft boxes tend to send a
RST packet regardless
• Can be used to differentiate a Unix box
from a Microsoft box
7/17/2015
ACK Scan
• Not used to identify open and closed ports
• Used to identify filtered ports
• Can be useful for mapping packet filter
rules
7/17/2015
Fragmentation scanning
• A modification of other techniques of
scanning
• Breaks the probe packet into a couple of
small IP fragments
• Breaking up the TCP header into several
smaller packets makes it harder to detect
and some packet filters will pass the
packet unchecked rather than wait for all
of the fragments to arrive.
7/17/2015
UDP Port Scanning
• Single UDP packet to each port being tested
• Closed ports respond with an ICMP unreachable
message.
• Open ports will NOT respond
• Filtered ports will NOT respond
• Results can be ambiguous on filtered targets
• Can be very slow due to ICMP message rate
limiting which is specified within the RFC’s
describing IP & ICMP. Some systems do not
implement this (e.g. all Windows systems.)
7/17/2015
Banner Grabbing
• The process of examining banner strings returned
by services bound to open TCP ports
• Enables identification of service applications
including software version.
• Not effective for non-character based services
(e.g. SMB, HTTPS)
• Some service applications will not send banner
information until prompted (e.g. HTTP)
• Useful for identification of service applications
on non-standard ports
7/17/2015
Banner Grabbing – Manual
Testing
• Use netcat or telnet to connect to the port :
C:\nc 10.0.0.120 25
220 Sendmail/8.8.8 ESMTP
Looks like Sendmail 8.8.8 mail server - easy
7/17/2015
Banner Grabbing - Automation
7/17/2015
Fingerprinting
• Stack fingerprinting is used to determine
the operating system of a target host
• Utilises differences in the implementation
of the IP stacks
• Involves sending non-standard packets to
the target and examining any responses
• Not always accurate
• Very easy to spot for IDS
7/17/2015
Fingerprinting – A Simple Test
• A single ping can be used to aid in OS
detection and is a very basic way of
fingerprinting a target.
Windows !!
# ping 10.0.0.120
PING 10.0.0.120
: 56(84) bytes of data.
64 bytes from 10.0.0.120: icmp_seq=1 ttl=128
time=0.280 ms
--- 10.0.0.120 ping statistics --
Note that TTL=128 in the reply. That almost
guarantees that the target is a Windows
7/17/2015
system of some description.
Fingerprinting – A Simple Test
• Here are the default TTL (Time To Live)
values for a few common systems :
–
–
–
–
–
–
Cisco Devices
Most Windows Systems
Windows 95
Linux <= 2.0.x
Linux >= 2.1.x
Solaris
7/17/2015
255
128
32
64
255
255
Advanced IP Stack
Fingerprinting
• Involves sending crafted packets to the
target
• Ideally requires >=1 open port and >=1
closed port
• Packet filters, firewalls and transparent
proxies can render IP stack fingerprinting
useless when using automated tools such
as NMAP, Queso or MingSweeper
because they sometimes re-write packets.
7/17/2015
Advanced IP Stack
Fingerprinting
• Tools for automated stack fingerprinting
–
–
–
–
NMAP stack fingerprinting
Xprobe ICMP stack fingerprinting
MingSweeper combined NMAP+ICMP
Queso – early stack fingerprinting, NMAP
draws tests from this software.
7/17/2015
NMAP
• “Network Mapper”
• Open source utility for network exploration
• Its functions include a wide variety of port
scanning mechanisms, OS detection and ping
sweeps.
• Runs on most Unix based operating systems
• Has a graphical user interface
• Its FREE!
7/17/2015
# nmap -sS -n -p 1-10000
10.0.0.125
Starting nmap 3.48 (
http://www.insecure.org/nmap/ )
All 10000 scanned ports on 10.0.0.125 are:
filtered
Nmap run completed -- 1 IP address (1 host up)
# nmap -sU -n -p 1-10000
10.0.0.125
Starting nmap 3.48 (
http://www.insecure.org/nmap/ )
All 10000 scanned ports on 10.0.0.125 are:
filtered
7/17/2015
Nmap run completed -- 1 IP address (1 host up)
Mingsweeper
• Windows based network reconnaissance
utility
• Performs ping sweeps, Reverse DNS
sweeps, TCP & UDP port scans, OS
identification and application
identification.
• It is also FREE!
7/17/2015
Scanning - Ming-sweeper
7/17/2015
Stack Fingerprinting Test Probes
• NMAP tests comprise of 9 probes
–
–
–
–
TClass
T1 to T4
T5 to T7
PU
TCP Initial Sequence Number probe
Four TCP open port probe
Three TCP closed port probe
Port Unreachable UDP probe
• MingSweeper adds 4 probes
–
–
–
–
I1
I2
I3
I4
7/17/2015
Four ICMP echo probes
Four ICMP timestamp probes
Four ICMP address mask probes
Four ICMP information query probes
Firewalking
• Attempting to route packets through
firewall
• Vary IP protocol, TCP/UDP port numbers
• Use decrementing TTL values to illicit
responses from devices behind firewall
• Not particularly successful on modern
firewall systems
7/17/2015
Firewalking
• Hping – useful tool for generating many
types of hand-crafted IP packets. UNIX
only.
• Mptraceroute – performs traceroutes using
multiple IP protocols and allowing port
specifications. Win 2000/XP only.
7/17/2015
Identifying the FW – Ike-scan
# ike-scan -v 10.0.0.125
Starting ike-scan 1.6 with 1 hosts
---
Pass 1 of 3 completed
---
Pass 2 of 3 completed
---
Pass 3 of 3 completed
Ending ike-scan 1.6:
1 hosts scanned in 22.595 seconds (0.04 hosts/sec).
0 returned handshake; 0 returned notify
7/17/2015
Identifying the Firewall - LFT
# lft -vv –E -n 10.0.0.120
Looks like we made it.
Everyone responded.
Will finish TWO
TTL
Moving on...
Concluding with 2 hops.
LFT trace to 10.0.0.120:80/tcp
**[4.2 BSD bug]next gateway may errantly reply with reused TTLs
1 [target] 10.0.0.120:80 6.5ms
**[4.2 BSD bug]next gateway may errantly reply with reused TTLs
2 [target] 10.0.0.120:80 1.6ms
7/17/2015
SNMP Enumeration
• Community string is equivalent to a password
used to control access to node information
• Very often set to ‘public’ and ‘private’
• All transmissions are in clear text
• SNMP daemons found on many network devices
and hosts systems.
• Generally all SNMP nodes in a network share the
same community name
7/17/2015
SNMP Enumeration
• SNMP community names can be brute forced
easily
• SNMP can yield a huge amount of information
–
–
–
–
ARP tables
Routing tables
Device specific information
Traffic statistics
• Host based SNMP daemons may yield process,
service and user information (e.g. Windows NT
SNMP service)
7/17/2015
SNMP Enumeration Tools
• Snmpget – Unix and Win32 tool for
enumerating individual SNMP keys
• Snmpwalk – unix and Win32 tool for
enumerating whole or partial MIB trees
7/17/2015
Routing Daemons
• Network topology is broadcast and may be
obtained by network sniffing
• Routers may be queried directly for
routing and topology information
• Network topology maps may be built using
data obtained from routing daemons on
hosts and routers
• Can be more thorough and less intrusive
than multiple traceroute queries
7/17/2015
Route Analysis Tools
• Ripquery
– A diagnostic tool for interrogating RIP gateways
– Have a look on the Net for a RIP Spoofing tool I
wrote a decade ago
• BGP
– looking glass servers divulge BGP information about
routes
• Ospf_monitor
– A diagnostic tools for interrogating OSPF routers
7/17/2015
Network Reconnaissance and
Enumeration
Section 3
7/17/2015