Transcript Scanning
Scanning
slides (c) 2012 by Richard Newman
based on Hacking Exposed 7 by McClure, Scambray, and Kurtz
What is Scanning?
How does it differ from footprinting?
–
Footprinting did not necessarily attempt to access the target system(s)
directly
Direct examination of target systems
–
–
–
–
Determine if system is alive – network ping sweep
Determining which services are up
Determining OS type/version
Determining protocol stack versions
Determining if system is alive
Popularity=10; Simplicity=9; Impact=3; Risk Rating=7
- Purpose
–
–
Find out which IP addresses have live hosts on them
No point in detailed examination of empty address!
- Network Ping sweep
–
–
–
–
–
ARP Host discovery
ICMP Host discovery
OS Utilities
Network discovery tools
TCP/UDP Host discovery
- Ping sweep countermeasures
ARP Host discovery - 1
- Address Resolution Protocol
–
Works on top of layer 2, in parallel with network layer
•
–
–
–
–
Has its own ethertype value
Needed for “plug-and-play” autoconfiguration and mobility
Request is broadcast to all hosts on LAN
Host with matching address is required to respond
Attacker needs to be on same LAN
- arp-scan by NTA Monitor (nta-monitor.com/tools/arp-scan)
–
–
–
–
Must be run as super-user
Takes CIDR subnet address range as input
Returns all responding hosts with IP and MAC addresses
Includes OUI of MAC if known
- Nmap by Fyodor (nmap.org)
ARP Host discovery - 2
- Nmap by Fyodor (nmap.org)
–
De facto tool of choice
•
–
–
–
–
Works on Linux, Windows, Mac
Does much more than ARP scanning
ARP scan through -PR <CIDR address> option
Turn off port scan using -sn option
Reports IP address, MAC address, OUI's name, and latency
- CAIN (oxid.it/cain.html)
–
–
–
Windows tool
Does much more than ARP scanning
GUI-based tool
- Limitations of ARP scanning
–
Targets on distant network segments
ICMP Host discovery - 1
- Internet Control Message Protocol (ICMP) intended uses
–
–
Diagnostics and trouble shooting needed on internet
ICMP used for diagnostics, error reporting, management, etc.
- ICMP messages
–
–
–
–
–
–
–
–
Echo request/reply (ping)
Destination unreachable
Source quench
Redirect
Time exceeded (TTL reached 0)
Timestamp/reply (used in enumeration)
Information request/reply
Address mask request/reply (used in enumeration)
ICMP Host discovery - 2
- OS ping utility uses ICMP echo request/reply messages
–
–
If receive request, must reply
Can also be used in smurf attack (using broadcast)
- host may be configured not to respond to echo requests
–
May still respond to other messages
Network discovery tools - 1
- Nmap
–
–
–
–
–
–
Beside ICMP ping sweep also does ARP sweep and TCP pings
Limit activity (to avoid detection by IDS) using -sn (no port scan), PE (use echo request), and --send-ip (no ARP scan)
If on different subnet, --send-ip not needed
Individual and CIDR subnet addressing
Gives responding host IP, MAC, OUI name, latency
Has -PM option for address mask and -PP option for timestamp
•
In case host configured to ignore ECHO REQUEST messages
Network discovery tools - 2
- hping3 and nping
–
–
Very flexible tools
•
Select flags, message types
•
Spoof source address (IP and MAC)
•
Set number of messages to send
nping ships with nmap
- superscan
–
–
–
–
–
–
Windows tool
Free from Foundstone
Fast ping sweep
GUI with options for echo request, timestamp, address mask, and
information request messages
Also supports UDP and TCP port scans and more
Can give HTML output
TCP/UDP Host discovery - 1
- Especially useful when ICMP responses are limited
- Servers provide services over network
–
–
Must be able to take clients
May be open through firewall
- May have to probe multiple ports to find open service
–
–
Any response indicates host is alive
More probing = higher visibility to IDS
- Local hosts (not servers) may also have services
–
–
–
–
File sharing
Remote desktop
Management tools
Often have local firewall
TCP/UDP Host discovery - 2
- nmap
–
–
–
–
-sn option also include port 80 (www)
-Pn option for 1000 common ports
-p <portnumber> option to specify one particular port
--open option to suppress IP addresses that don't respond
- nping
–
–
Also provides port scan option
Output noisier
- superscan
–
–
Also provides options to probe particular ports or port ranges
Can take file with list of IP addresses to scan
Ping sweep countermeasures
- Detection
–
–
–
–
–
May want to leave ICMP diagnostic abilities in place for legit use
May want to use as “early warning” of impending attack
Most standard network and desktop firewall tools can be
configured to detect ping sweeps
Many OS tools available for this also
Detection does little good if nobody is watching
- Prevention
–
–
–
–
Limit which ICMP messages will be allowed
Limit where they will be received from/sent to
Pingd allows handling at user level (flexible access control)
Can prevent exchange of info by compromised system using data
field in ECHO REQUEST (loki2, etc.)
Determining services that are up
Popularity=10; simplicity=10; impact=7; Risk Rating=9
- Port scanning
–
–
–
–
–
Send packets to TCP and UDP ports to find listening servers
Find live hosts
Determine which services are open
Help identify OS type, version
Identify specific applications/versions of particular service
Scan Types - 1
- TCP connect scan
–
–
–
Completes 3-way handshake
Takes longer
Can be run as regular user
- TCP SYN scan (half-open scan)
–
–
–
–
Sends SYN, waits for SYN-ACK
SYN-ACK = open, RST = not open (usually)
Stealthier
Can produce DOS attack on target
- TCP FIN scan
–
–
–
Sends FIN
Should receive RST (see RFC 793)
Usually works on Unix-based stacks
Scan Types - 2
- TCP Xmas tree scan
–
–
Sends FIN, URG, and PUSH TCP packet
Should receive RST on closed ports
- TCP Null scan
–
–
Sends TCP segment with no flags set
Should receive RST on closed ports
- TCP ACK scan
–
–
Sends packet with ACK set
Helps determine firewall policies, capabilities
- TCP Windows scan
–
Looks at how rwnd is handled with RST to ACK segment
See http://www.networkuptime.com/nmap/page3-13.shtml
- TCP RPC scan
- UDP scan
Scan Types - 3
- TCP RPC scan
–
–
–
–
Many Unix systems implement portmapper
Used with RPC/RMI to find services
Server registers service with portmapper (with pgm/version)
Client contacts portmapper to request service, get port#
- UDP scan
–
–
–
Connectionless
Send ICMP “port unreachable” message if not listening
May be up if error message not received
Identifying Services - 1
- TCP SYN port scan using nmap
–
–
–
–
–
–
–
–
Use -sS option
Use -oN <file> to save human readable output
Use -oG <file> to save tab-delimited version
Use -oX <file> to save XML
-oA saves in all formats
Lists open ports with nominal services
-f option to fragment packets
•
Some firewalls will not reassemble fragments, just pass packet
•
May make it harder for IDS to detect scan
-D option provides for decoy source addresses
•
–
Burdens target with having to track down all scans
•
Take care to use real IP addresses to avoid SYN attack DOS
-b option to use FTP bounce scanning
•
Uses older FTP servers to reflect packets
Identifying Services - 2
- SuperScan (Foundstone.com)
–
–
–
–
–
Windows/GUI-based alternative to nmap
Port scans in addition to ICMP and ARP scans
Select port or port range to scan, and protocol
Select special techniques for TCP, UDP
UDP data+ICMP method
•
Multiple UDP packets to a port
•
May overwhelm ICMP response capability
•
Very accurate, but slow
- ScanLine
–
–
Windows/command-line tool (also Foundstone)
Single executable
–
•
Easier to load onto compromised system
Many options
- Netcat
–
(nc)
Older, command-line tool - “Swiss army knife”
Port Scanning Countermeasures
- Detection
–
–
IDS (e.g., Snort – snort.org)
Unix scanlogd (openwall.com/scanlogd)
•
–
–
–
TCP scans
See openwall.com/scanlogd/P53-13.gz for more
Configure firewall to detect
•
Email alerts
•
Use grouping to avoid DOS on email
Attacker (Foundstone.com)
•
Can monitor specific ports
•
Mostly useful against naive attackers
- Prevention
–
–
Disable all unnecessary services
System specific
Detecting the OS - 1
Active OS Detection
Popularity=10; Simplicity=8; Impact=4; Risk Rating=7
- Banner grabbing (later)
- Available ports signature
–
Some systems use particular ports for services
- Active Stack Fingerprinting
–
–
–
Responses to probes is implementation dependent
Multiple types of probes used to narrow field
See insecure.org/nmap/nmap-fingerprinting-article.html
Hard to prevent, not so hard to detect
Detecting the OS - 2
Active Stack Fingerprinting Probes
- FIN probe
–
Correct not to respond, but some send FIN/ACK
- Bogus flag probe (in SYN packet)
–
Correct to ignore, but some set flag in SYN-ACK
- Initial Sequence Number (ISN) sampling
–
Patterns may be found in ISNs for connections that depend on OS
- DF bit monitoring
–
Some OS's may set DF in IP header to improve performance
- TCP initial window size
–
Some systems have characteristic initial rwnd size
–
Note that rwnd is indication of buffer space at receiver, set by OS
- ACK value
–
May use last SN (less common) or last SN+1 (usual)
Detecting the OS - 3
- ICMP error message quenching
–
Systems may limit the number of ICMP error messages (RFC
1812)
–
Send UDP packets to random port, determine rate of ICMP
unreachable port messages
-ICMP message quoting
–
ICMP error messages include some initial portion of the offending
datagram
–
Amount of data included varies according to system
- ICMP error message-echoing integrity
–
Some systems change IP headers quoted in ICMP error
messages
- TOS on ICMP port unreachable message
–
Usually TOS=0, but may vary
- Fragmentation handling
–
Observe how probe packets with overlapping fragments are
reassembled
Detecting the OS - 4
Passive OS Detection
Popularity=5; Simplicity=6; Impact=4; Risk Rating=5
- Less obtrusive than active OS fingerprinting
- Monitor traffic to/from target
–
Requires favorable position
- Passive signatures
–
–
–
–
TTL on outbound datagrams
Initial window size (rwnd)
DF (don't fragment) bit set?
Siphon tool (packetstormsecurity.org)
Hard to prevent, hard to detect
Storing and Processing Scan Data
- Large amounts of data may be produced
- Desirable to have ways to sift through data, select items of
interest
- Metasploit (metasploit.com)
–
–
–
–
Postgres database for querying
Can run nmap from metasploit
Can import nmap output into database
Then run queries to select desired items