The UNIX operating system
Download
Report
Transcript The UNIX operating system
Scanning & Enumeration
Lab 3
Once attacker knows who to attack, and knows some of
what is there (e.g. DNS servers, mail servers, etc.) the
next step is to figure out the rest of the network and its
vulnerabilities.
Network Scanning and Enumeration
The process of collecting information about computers
(assets) available on a network by either by
◦ listening to network traffic, or
◦ probing the network by sending traffic and observing what
traffic is returned as a result.
◦ E.g. scan looking for IP addresses (ping)
◦ Once you figure out what is there, then you can attack it
appropriately
Scan for ports to see what services are available, and then apply
appropriate exploits
Scan for user names and passwords, unused accounts, etc.
2
Port and Vulnerability Scanning
Once you know a device is present, what are its
vulnerabilities?
◦ Apply some programs to check all ports, looking for
open ports
Some services running on certain ports have known
vulnerabilities
http://www.faqs.org/faqs/computer-security/most-commonqs/section-21.html
http://en.wikipedia.org/wiki/Portscanning
◦ Or you can apply some programs that specifically
look for vulnerabilities (combo of network, port and
vulnerability scan)
3
Scanning Programs
Tools used to identify what computers are active on a network, and
which ports and services are available on each computer.
◦ Verify which IP addresses are active on a network
ping sweep
◦ Determine what services are available from each system
port scan
Note: port scanning may be illegal in some states
Examples:
◦ nmap (http://nmap.org/)
◦ unicornscan (http://www.unicornscan.org/)
◦ superscan (http://www.snapfiles.com/get/superscan.html)
◦ nessus (http://www.nessus.org/nessus/)
◦ fping (http://fping.sourceforge.net/), hping (http://www.hping.org/)
4
Caveat: tools have their own
footprints - but not always
“While Nmap attempts to produce accurate results, keep in mind
that all of its insights are based on packets returned by the target
machines (or firewalls in front of them). Such hosts may be
untrustworthy and send responses intended to confuse or mislead
Nmap.
Much more common are non-RFC-compliant hosts that do
not respond as they should to Nmap probes. FIN, NULL, and
Xmas scans are particularly susceptible to this problem. Such
issues are specific to certain scan types and so are discussed
in the individual scan type entries.”
“Truly advanced Nmap users need not limit themselves to the
canned scan types offered. The --scanflags option allows you to
design your own scan by specifying arbitrary TCP flags. Let your
creative juices flow, while evading intrusion detection systems
whose vendors simply paged through the Nmap man page adding
specific rules!”
5
Different kinds of scans explained
http://nmap.org/book/man-port-scanningtechniques.html
6
Internet Control Message Protocol (ICMP)
Allow servers to communicate with each other and
report errors to ensure that network paths are working
properly.
◦ The PING utility is based on the use of ICMP echo
requests and echo replies.
◦ PING is used to verify whether another network host is
accessible.
7
UDP Scanning (UDP Protocol)
Sending UDP packets to a target host to determine what
UDP ports are open.
◦ A sequence of packets is sent to a series of different UDP
port numbers to test the availability of each port.
◦ If the UDP port is OPEN on the target host, no reply is
sent.
◦ If the UDP port is NOT OPEN, an ICMP Destination
Unreachable packet is sent in response to the probe.
8
TCP Scanning (TCP Protocol)
Based on various features of TCP.
Some of the features used for scanning and enumeration
include:
◦
◦
◦
◦
Opening a TCP connection (3-way handshake)
Closing a TCP connection
TCP connection reset
TCP null scan
9
TCP 3-way handshake
Used to establish a TCP connection.
Packet sequence for 3-way handshake
◦ SYN segment - requests a connection (e.g., with a server)
◦ SYN-ACK - acknowledges the (client's) SYN information
and provides the (server's) information for establishing the
connection.
◦ ACK - acknowledges the (server's) information
This process can be used to determine which TCP ports
are open on a server.
10
Closing a TCP Connection
Uses a modified 3-way handshake
◦ FIN - indicates that either host (e.g., Host B) has finished
sending data and is ready to close the connection.
◦ ACK
Host A acknowledges receipt of the FIN.
Connection is "half-closed" at this point.
Host B transmits no more data.
◦ FIN
Host A indicates itis now ready to close the connection.
◦ ACK
Host B acknowledge's A's FIN.
The connection is closed when Host A receives the final ACK
from Host B.
11
TCP Connection Reset
Allows an application to disconnect from a connection in
abnormal circumstances.
Either host initiates by sending a TCP segment with the
RST bit set.
Receiving host immediately aborts the connection and
informs the application program that a reset has
occurred.
12
Some Types of TCP Port Scans
SYN scan
◦ Send SYN packet
◦ If port closed, target responds with RST/ACK
◦ If port open, target responds with SYN/ACK
Sender sends RST/ACK to close connection
Connect scan
◦ Similar to SYN scan – completes 3-way handshake
◦ Connection is established
NULL scan
◦ Send packet will all flags OFF
◦ If destination port open, no response sent
◦ If destination port closed, RST packet sent
13
Enumeration
The process of extracting information from a network:
◦ Resources or shares available on the network
Determine OS using fingerprinting/scanning
◦ User names or groups assigned on the network
◦ The last time a user logged on as well as his/her password
http://en.wikipedia.org/wiki/Network_Scanner
Tools
◦ NBTscan (http://www.inetcat.net/software/nbtscan.html)
◦ NetScanTools Pro (http://www.netscantools.com/ )
◦ Hyena (http://www.systemtools.com/hyena/?source=google3D)
◦ Finger (http://en.wikipedia.org/wiki/Finger_protocol)
◦ IKE-Scan (http://www.nta-monitor.com/tools/ike-scan/ )
14
Vulnerability Scanners
Programs designed to search for and map systems to look for
weaknesses in an application, computer or network.
http://en.wikipedia.org/wiki/Vulnerability_scanner
http://en.wikipedia.org/wiki/Web_Application_Security_Scann
er
Tools
◦ nessus (http://www.nessus.org/nessus/ )
◦ SAINT (http://www.eeye.com/html/Products/Retina/index.html)
◦ Microsoft Baseline Security Analyzer
(http://technet.microsoft.com/en-us/security/cc184924.aspx)
15