Lab1Overview - ECE Users Pages
Download
Report
Transcript Lab1Overview - ECE Users Pages
Lab 1: Reconnaissance,
Network Mapping, and
Vulnerability Assessment
• Reconnaissance
• Scanning
• Network Mapping
• Port Scanning
•OS detection
• Vulnerability assessment
1
Reconnaissance
• Internet Network Information Center who-is
database www.internic.net/whois.html
• Registrar’s database i.e.
www.networksolutions.com
• American Registry for Internet Numbers (ARIN)
http://www.arin.net/whois/
• Domain Name System (DNS) nslookup
ECE 4112 - Internetwork Security
2
Reconnaissance
• After Recon, it is possible to know detailed
information about a potential target
• This information includes specific IP addresses
and ranges of addresses that may be further
probed.
ECE 4112 - Internetwork Security
3
Scanning
Objective 1: Network Mapping
Why: To determine what the network looks like logically.
How: Manually using tools like ping, traceroute, tracert, or with
tools like Cheops network mapping tool
ECE 4112 - Internetwork Security
4
Scanning
Objective 2: Port Scanning
Why: To find open ports in order to exploit them.
How:
• TCP Connect -- attempt to complete 3-way handshake, look for
SYN-ACK, easy to detect this scan
• TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send
RESET, target system will not record connection, also faster than
TCP connect scan
• TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol,
closed ports send RESET, open ports send nothing (Windows does
not respond to these scans)
ECE 4112 - Internetwork Security
5
Scanning
• TCP ACK Scan -- may be useful to get past packet filters
(believes it is a response to a request from inside firewall), if
receive RESET, know this port is open through firewall
• FTP Bounce Scan -- request that server send file to a victim
machine inside their network (most servers have disabled this
service)
• UDP Scan -- unreliable, if receive ICMP Port Unreachable,
assume closed, otherwise open
• Ping Sweep -- can use ICMP or TCP packets
ECE 4112 - Internetwork Security
6
Scanning
Additional objectives:
• Decoys -- insert false IP addresses in scan packets
• Ping Sweeps -- identify active hosts on a target
network
• Find RPCs -- connect to each open port looking for
common RPC services (send NULL RPC commands)
ECE 4112 - Internetwork Security
7
Scanning
Objective 3: Operating System Detection
Why: To determine what Operating System is in use in order
to exploit known vulnerabilities.
• Also known as TCP stack fingerprinting.
• Take advantage of ambiguity of how to handle illegal
combinations of TCP code bits that is found in the RFCs.
• Each OS responds to illegal combinations in different
ways.
• Determine OS by system responses.
ECE 4112 - Internetwork Security
8
OS detection
Window Size: Most Unix Operating Systems keep the window
Size the same throughout a session. Windows Operating
Systems tend to change the window size during a session.
Time to Live: FreeBsd or Linux typically use 64, Windows
Typically uses 128.
Do Not Fragment Flag: Most OS leave set, OpenBSD leaves
it unset.
ECE 4112 - Internetwork Security
9
Nmap: Network Exploration
Tool
Purpose: “To allow system administrators and curious
individuals to scan large networks to determine which
hosts are up and what services they are offering.”
Available at: http://www.insecure.org/nmap/
ECE 4112 - Internetwork Security
10
Nmap: What does it do?
• Port scanning
• OS detection
• Ping sweeps
ECE 4112 - Internetwork Security
11
Nmap: How does it work?
Use the following Scan techniques :
• UDP
• FIN
• TCP connect()
• ACK sweep
• TCP SYN (half open)
• Xmas Tree
• ftp proxy (bounce attack)
• SYN sweep
• Reverse-Identification
• IP Protocol
• ICMP (ping sweep)
• Null Scan
ECE 4112 - Internetwork Security
12
Nmap: How does it work?
• Uses the following OS detection techniques
• TCP/IP fingerprinting
• stealth scanning
• dynamic delay and retransmission calculations
• parallel scanning
• detection of down hosts via parallel pings
• decoy scanning
• port filtering detection
• direct (non-port mapper) RPC scanning
• fragmentation scanning
• flexible target and port specification.
ECE 4112 - Internetwork Security
13
Scanning Vulnerability
Assessment (1)
Objective 4: Vulnerability Assessment
Why: To determine what known (or unknown?)
vulnerabilities exist on a given network
Vulnerabilities come from:
• Default configuration weakness
• Configuration errors
• Security holes in applications and protocols
• Failure to implement patches!
ECE 4112 - Internetwork Security
14
Vulnerability Assessment
Vulnerability checkers use:
• Database of known vulnerabilities
• Configuration tool
• Scanning engine
• Knowledge base of current scan
• Report generation tool
ECE 4112 - Internetwork Security
15
Scanning tool: Nessus
Purpose: “To provide to the internet community a free,
powerful, up-to-date and easy to use remote security scanner.”
Security Scanner: “A software which will audit remotely a
given network and determine whether bad guys (aka 'crackers')
may break into it, or misuse it in some way.”
Available platforms: UNIX for client and server
Windows for client only
Available at: http://www.nessus.org/
ECE 4112 - Internetwork Security
16
Nessus: What does it do?
• Iteratively tests a target system (or systems) for known
exploitation vulnerabilities
• Uses a separate plug-in (written in C or Nessus Attack
scripting Language) for each security test
• Can test multiple hosts concurrently
• Produces a thorough vulnerability assessment report at the
conclusion of the vulnerability scan
ECE 4112 - Internetwork Security
17
What does Nessus check for?
• Backdoors
• Port scanners
• CGI abuses
• Remote file access
• Denial of Service
• RPC
• Finger abuses
• SMTP problems
• FTP
• Useless services
• Gain a shell remotely
• Windows
• Gain root remotely
• and more...
ECE 4112 - Internetwork Security
18
Scanning tool: Superscan4
(windows XP)
Purpose: “To provide to the internet community a free,
powerful, up-to-date and easy to use remote security scanner.”
Security Scanner: “Superior scanning speed, Support for
unlimited IP ranges, Improved host detection using multiple
ICMP methods , TCP SYN scanning , UDP scanning (two
methods), IP address import supporting ranges and CIDR
formats, Simple HTML report generation, Source port
scanning, Fast hostname resolving, Extensive banner grabbing ,
Massive built-in port list description database , IP and port scan
order randomization , A selection of useful tools (ping,
traceroute, Whois etc) ,Extensive Windows host enumeration
capability .”
19
ECE 4112 - Internetwork Security
Lab Enhancements
What corrections and or improvements do you suggest for this lab? Please be very specific and if you
add new material give the exact wording and instructions you would give to future students in the
new lab handout. You may cross out and edit the text of the lab on previous pages to make minor
corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not
be awarded extras points even if the statement is totally true. Specific text that could be cut and
pasted into this lab, completed exercises, and completed solutions may be awarded additional credit.
Thus if tool xyx adds a capability or additional or better learning experience for future students here
is what you need to do. You should add that tool to the lab by writing new detailed lab instructions
on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example
outputs, etc. You must prove with what you turn in that you actually did the lab improvement
yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually
completed your suggested enhancements. The lab addition section must start with the title “Lab
Addition”, your addition subject title, and must start with a paragraph explaining at a high level what
new concept may be learned by adding this to the existing laboratory assignment. After this
introductory paragraph, add the details of your lab addition. Include the lab addition cover sheet
from the class web site.
ECE 4112 - Internetwork Security
20
Lab Enhancements Cover Sheet
•What new concept may be learned by adding this to the existing laboratory assignment? (Or what
existing concept is better learned with this addition as opposed to what is in the existing lab
assignment):
•What are the specific vulnerabilities this concept exploits and what are the defenses one can use
against the vulnerabilities?
Completion checklist:
•Did you email an electronic copy of your laboratory addition to Henry within 24 hours after the class
(and name the attachment Grx_Laby_Add.doc)? ________
•Did you prepare a 5 minute in class presentation (which includes enough theory and results to educate
your classmates on what you did and how you did it and discuss defenses) and email that to Henry
within 24 hours after the class (and name the attachment Grx_Laby_Add.ppt)? _______
•Did you include proof that you got this working in our laboratory with our equipment? (Screen shots,
output, etc)? ____________
•Did you include references and attributes for all materials that you used? __________
•Did you write your addition so that it does not require editing to cut and paste into the lab? ____
•Did you include answers to all questions you ask in the addition (a solution sheet)? _______
•In adding your new concepts/exercises did you include detailed lab instructions on where to get any
software you may need, how to install it, how to run it, what exactly to do with it in our lab, example
outputs proving that you got the enhancement to work in our lab? ___________
•Did you include any theory/background and or fundamentals of the ideas and concepts behind this
addition? _____________
ECE 4112 - Internetwork Security
21
ECE 4112 - Internetwork Security
22