Transcript 8_19Counter Hack 6 scanning

COUNTER
HACK
Chapter 6 Scanning
Information Networking Security and
Assurance LAB
Department of Communication Engineering
National Chung Cheng University
Chia-Yi, Taiwan , ROC
Mike
Information Networking Security and Assurance Lab
National Chung Cheng University
Network Mapping
Server
Server
Server
Focus on IP-based computer systems.
Map out your network infrastructure.
INTERNET
INTERNAL
NETWORK?
BORDER
ROUTER?
Mapping and scanning your Internet gateway,
Firewall?
Firewall?
including DMZ systems, such as Web, mail, FTP,
and DNS sever.
BORDER
Mapping and scanning your ROUTER?
internal network.
Server
Information Networking Security and Assurance Lab
National Chung Cheng University
Network Mapping Techniques
Finding live hosts
Tracing your network topology
Information Networking Security and Assurance Lab
National Chung Cheng University
Finding Live Hosts
ICMP ping
Ping all possible addresses to determine which ones
have active hosts
Ping, using an ICMP Echo Request packet
ICMP packet
ICMP Echo Request packet
Attacker
Information Networking Security and Assurance Lab
National Chung Cheng University
Victim
Traceroute
Tracerouting relies on the Time-To-Live(TTL)
 If the TTL is zero,the router sends back an ICMP
Time Exceeded message to the originator.
Information Networking Security and Assurance Lab
National Chung Cheng University
Traceroute
ROUTER
ROUTER
TTL = 1
Time exceeded
TTL = 2
Time exceeded
Information Networking Security and Assurance Lab
National Chung Cheng University
ROUTER
Cheops
Developing a network inventory and topology
using ping and traceroute
Runs on Linux
Information Networking Security and Assurance Lab
National Chung Cheng University
Defenses against Network Mapping
Filter
Firewalls and packet-filtering capabilities of your
routers
Stop ICMP Time Exceeded messages leaving your
network
Information Networking Security and Assurance Lab
National Chung Cheng University
Using port scanners
Analyzing which ports are open
To know the addresses of live system
Have the basic understanding of your network
TCP/IP stack has 65,535 TCP/UDP ports
RFC 1700, Assigned Numbers
Information Networking Security and Assurance Lab
National Chung Cheng University
Using port scanners
Ports like doors on each of machines
Port scan knock on each door to see if anyone
is listening behind it
Someone behind the door, get a response
No one behind the door, no answer back
Information Networking Security and Assurance Lab
National Chung Cheng University
Free port-scanning tools
Nmap ( www.insecure.org/Nmap)
Strobe (packetstorm.securify.com/UNIX/scanners/)
Ultrascan, a Windows NT port scanner,
(packetstorm.securify.com/UNIX/scanners)
Information Networking Security and Assurance Lab
National Chung Cheng University
Nmap
What type of packets does the scanning system
send
TCP Connect, TCP SYN, TCP FIN, …
Some types could cause the target system to
become flooded or even crash
Information Networking Security and Assurance Lab
National Chung Cheng University
Types of Nmap Scans
Legitimate TCP connections established using
a three-way handshake
SYN with ISNA
ACK ISNA and SYN with ISNB
ACK ISNB
Connection
Attacker
Information Networking Security and Assurance Lab
National Chung Cheng University
Victim
TCP ACK Scans
SYN
SYN-ACK
SYN
Packet
Filter
Device
Allow outgoing traffic
and the established
responses
Block incoming traffic
if the SYN packet is set
EXTERNAL
NETWORK
Information Networking Security and Assurance Lab
National Chung Cheng University
INTERNAL
NETWORK
TCP ACK Scans
ACK dest port 1024
ACK dest port 1025
ACK dest port 1026
Aha! I know port 1026 is
open through the firewall
EXTERNAL
NETWORK
Information Networking Security and Assurance Lab
National Chung Cheng University
Packet
Filter
Device
RESET
INTERNAL
NETWORK
FTP Bounce Scans
FTP Server
supporting FTP
forwarding
“open data connection
to send file to victim
on port 1.”
“…port 2”etc.,etc.
Information Networking Security and Assurance Lab
National Chung Cheng University
Victim
to be scanned
How to avoid FTP Bounce Scans
Make sure that your FTP sever does not
support this bounce capability
Checking your FTP sever
(www.cert.org/advisories/CA-1997-27.html)
Information Networking Security and Assurance Lab
National Chung Cheng University
Standard FTP Control and Data
Connections
Active type
FTP Control Connection
TCP destination port 21
FTP Data Connection
FIREWALL
TCP destination port 20
External FTP Server
Standard FTP Control and Data Connections
Information Networking Security and Assurance Lab
National Chung Cheng University
Internal FTP Client
FTP Bounce Scans
Makes standard FTP harder for router and
firewalls to handle.
Duh…
I’ll let in that
incoming FTP data
connection.
Src port = 20
Dst port = 1024
Src port = 20
Dst port = 1025
FIREWALL
Src port = 20
Dst port = 1026
Client
Server
Data Connections
Information Networking Security and Assurance Lab
National Chung Cheng University
Defenses against Port Scanning
 Harden your system
Close all unused ports.
Minimizes all services and tools installed.
 Find the openings before the attackers do
 Stateful inspection
Remembers all outgoing SYNs in a connection table
Check incoming packets against ACK scans.
Information Networking Security and Assurance Lab
National Chung Cheng University
How Firewalk Works
External IP = 10.1.1.1
ROUTER
ATTACKER
TTL = 1
Time exceeded
ROUTER
Packet
Filter
Firewall
TTL = 2
Time exceeded
TTL = 3
Time exceeded
Firewalk discovery phase counts the number of hops to the firewall
Information Networking Security and Assurance Lab
National Chung Cheng University
Determining Firewall Filter Rules with
Firewalk
External IP = 10.1.1.1
ROUTER
ATTACKER
ROUTER
Packet
Filter
Firewall
TCP port 1, TTL = 4
TCP port 2, TTL = 4
TCP port 3, TTL = 4
Time exceeded
Aha! TCP port 3 is unfiltered!
Firewalk scanning phase determines open ports through the firewall
Information Networking Security and Assurance Lab
National Chung Cheng University
Firewalk Defenses
Configured with a minimum set of ports
allowed through it.
Information Networking Security and Assurance Lab
National Chung Cheng University
Firewalk Defenses
 To replace packet-filtering devices with proxybased firewalls(proxies do not transmit TTL
information)
Drawback: Lower performance
 By filtering out ICMP Time Exceed message
leaving your network
Drawback: normal user and network administrators will not
be able to traceroute
Information Networking Security and Assurance Lab
National Chung Cheng University
Vulnerability Scanning
What’s vulnerability scanner
Types of vulnerabilities
Common configuration errors.
Default configuration weaknesses.
Well-known system vulnerabilities.
Information Networking Security and Assurance Lab
National Chung Cheng University
Vulnerability Scanner
User
Configuration
Tool
Scanning
Engine
Vulnerability
Database
Knowledge
Base of Current
Active Scan
Results
Repository
& Report
Generation
A generic vulnerability scanner
Information Networking Security and Assurance Lab
National Chung Cheng University
TARGETS
The Nessus Architecture
Client-server architecture
Client: user configuration tool and a results
repository/report generation tool.
Server: vulnerabilities database, a knowledge base
of the current active scan, and a scanning engine.
Information Networking Security and Assurance Lab
National Chung Cheng University
The Nessus Architecture
 Supports strong authentication, based on public
key encryption.
 Supports strong encryption based on the twofish
and ripemd algorithms.
 The most common use: running on a single
machine.
Information Networking Security and Assurance Lab
National Chung Cheng University
Vulnerability Scanning Defense
Close unused ports
Keep systems patched
Run the tools against your networks
Be careful with DoS(Denial-to-Server) and
Password Guessing tests!
Be aware of limitations of vulnerability scanning
tools.
Information Networking Security and Assurance Lab
National Chung Cheng University
Intrusion Detection System(IDS)
 All the scanning tools are noisy
 Tools can be detected by a network-based
intrusion detection system (IDS)
 IDS listen for attacks and warn administrators of
the attacker’s activities
Information Networking Security and Assurance Lab
National Chung Cheng University
How Intrusion Detection Systems Work
 Captures all data on the LAN.
 Sortthrough this data to determine if an actual
attack is underway.
 Have a database of attack signatures.
 Match attack signatures in their database.
 When attacks discovered, the IDS will warn the
administrator.
Information Networking Security and Assurance Lab
National Chung Cheng University
A Network-Based Intrusion Detection
System
Port 23!
Alert! Alert
NETWORK
IDS
PROBE
TCP port 80
NETWORK
TCP port 23
ATTACKER
Information Networking Security and Assurance Lab
National Chung Cheng University
PROTECTED
SERVER
IDS Evasion at the Network Level
Fragment packets
IDS must reassemble packets. However,
different target systems have various
inconsistencies in the way they handle
fragments
Just use fragments
Send a flood of fragments
Fragment the packets in unexpected ways
Information Networking Security and Assurance Lab
National Chung Cheng University
The tiny fragment attack
Looks good
to me…
Fragment 1:
Part of TCP Header
ATTACKER
Fragment 2:
Rest of TCP Header
with port number
Information Networking Security and Assurance Lab
National Chung Cheng University
NETWORK
NETWORK
IDS
PROBE
PROTECTED
SERVER
A fragment overlap attack
Looks good
to me…
Fragment 1:
Part of TCP packet
for port 80
ATTACKER
Fragment 2:
My offset is xyz. Data
contains part of TCP
Header with port 23
Information Networking Security and Assurance Lab
National Chung Cheng University
NETWORK
NETWORK
IDS
PROBE
PROTECTED
SERVER
Using FragRouter to evade IDS detection
Looks good
to me…
NETWORK
IDS
PROBE
ATTACK
SYSTEM
Attack
packets
FRAGROUTER
Information Networking Security and Assurance Lab
National Chung Cheng University
Attack
fragments
VICTIM
Some of the Many Fragmentation Options
Offered by FragRouter
Name
Flag
How the packets are mangled
frag-1
-F1
Send data in ordered 8-byte IP fragments
frag-2
-F2
Send data in ordered 24-byte IP fragments
frag-3
-F3
Send data in ordered 8-byte IP fragments, with one fragment sent
out of order
tcp-1
-T1
Complete TCP handshake, send fake FIN and RST (with bad
checksums) before sending data in ordered 1-byte segments
tcp-5
-T5
Complete TCP handshake, send data in ordered 2-byte segments,
preceding each segment with a 1-byte null data segment that
overlaps the latter half of it. This amounts to the forwardoverlapping 2-byte segment rewriting the null data back to the real
attack.
tcp-7
-T7
Complete TCP handshake, send data in ordered 1-byte segments
interleaved with 1-byte null segments for the same connection but
with drastically different sequence numbers.
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Evasion Defenses
 Keep the IDS system up to Date
 Utilize Both Host-Based and Network-Based IDS
Information Networking Security and Assurance Lab
National Chung Cheng University
Referense
Firewalk:http://www.packetfactory.net/Firewal
k/firewalk-final.html
Nessus:www.nessus.org
Information Networking Security and Assurance Lab
National Chung Cheng University
Vulnerability Assessment tool
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
Nessus is a free, open source vulnerability
scanner that provide a view of your networks
as seen by outsiders.
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
Nessus also provide many kinds of detailed
report that identifies the vulnerabilities and the
critical issues that need to be corrected.
Nessus Features:
Plugin-based
Exportable report
Information Networking Security and Assurance Lab
National Chung Cheng University
Structure
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): install nessus
Some way to install
lynx -source http://install.nessus.org | sh
dangerous
sh nessus-installer.sh
Easy and less dangerous
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (II): create nessusd account
add the client user’s account
The authentication method
by password check
Edit user’s right
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (III): create nessusd account
The authentication method by
key change
The key information of user
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (V): Nessus client configuration
The nessusd server’s address
The open port number of nessusd
Login user name
User password
Click on “Log in”
Information Networking Security and Assurance Lab
National Chung Cheng University
The scan range
Avoid the detection by
IDS
Choice the scan tools
Information Networking Security and Assurance Lab
National Chung Cheng University
Input the target’s address
Information Networking Security and Assurance Lab
National Chung Cheng University
Nessus information
Start the scan
Information Networking Security and Assurance Lab
National Chung Cheng University
the scan process
Scanning
Information Networking Security and Assurance Lab
National Chung Cheng University
The export of the data(I)
The target’s open port
The resource of this
security include
know-how and the
solution
Information Networking Security and Assurance Lab
National Chung Cheng University
The export of the data(II)
Report in html with graphs
Warning information
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
Nessus is a powerful vulnerability assessment
and port scanner
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
Nessus
http://www.nessus.org
Information Networking Security and Assurance Lab
National Chung Cheng University