Transcript Scanning
Scanning
CS-480b
Dick Steflik
What Can We Scan For
•
•
•
•
•
Modems (and other telephone devices)
Live Hosts
TCP ports
UDP ports
Promiscuous NICs
Modems
• Repeatedly dial phone numbers looking for a modem to
answer or other things
• War Dialers – used to find modems
• ToneLoc – 1994 by Minor Threat & Mucho Maas
– THC-Scan 2.0 – VanHouser, releaces by Hackers Choice
• thc.inferno.tusclum.edu
• Win9x, NT, W2000
• 100 lines/hour
• TBA – LOpht (www.Lopht.com)
– War dialing on a PALM
• Demon Dialers – once a modem is found repeatedly dial it and
guess passwords
• Other things
• Free phone calls – if the phone answers and gives a dial tone you
have dialed into a number the will let you dial another number,
some companies do this so that roaming employees can dial into
the company or into a company owned 800 number
Live Hosts
• Try pinging (ICMP Echo request) all hosts on a particular
subnet to see who replies
• No reply indicates host is not live
• Incoming ICMP messages are blocked
• It’s a good idea to block incoming ICMP messages at the
firewall
• If no reply a hacker would try connecting to a commonly
open port (TCP port 80) or sending a UDP packet to a
commonly open port.
• In java (which doesn’t do ICMP) send a ping using JNI to
execute the ping command as an OS command line
command.
Mapping your network
• Once the live hosts are known, a map of your network can
be arrived at by determining how the hosts are connected
together
• traceroute (unix/linux) / tracert (w2000)
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\users>tracert mail.binghamton.edu
Tracing route to mail.binghamton.edu [128.226.1.18]
over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 128.226.121.1
2 <10 ms <10 ms <10 ms 128.226.100.25
3 <10 ms <10 ms <10 ms bingnet2.cc.binghamton.edu [128.226.1.18]
Trace complete.
Mapping (more)
• By doing repetitive traceroutes to the hosts discovered in
the host scan the network topology can be discovered.
• Another way to do this is by using a mapping program like
Cheops (www.marko.net/cheops>
• runs on Linux and automates the process of inventorying a
network
• does operating system identification by using TCP Stack
Fingerprinting
Port Scanning
• Once and attacker knows the topology of your network the
tedious task of identifying open ports and services
• TCP and UDP scans are fine if you are scanning your own
network looking for vulnerabilities but are to easily
detectable for a hacker
• Nmap (www.insecure.org/Nmap)
• most versions of Unix
• ported to W/NT by eEye
(www.eeye.com/html/Databases/Software/Nmapnt.html)
• does many types of scans
Port Scanning (more)
• TCP Connect - completes 3-way handshake
• TCP SYN - sends only initial SYN and waits for SYN-ACK
• TCP FIN - send TCP FIN to each port, reset indicates port is
•
•
•
•
closed; violates the protocol
TCP Xmas Tree - Sends packet with FIN, URG, PUSH set;
reset indicates port is closed, no resp. may mean port is open.
This actually violates the protocol; doesn’t work on Windows
machine as MS didn’t follow the RFC
NULL - send packet with no code bits set, reset indicates port
closed;
TCP ACK - Send a packet with ACK bit set, helps determine a
packet filter’s rules
Window - similar to ACK scan but focuses on TCP window size
to determine if ports are open or closed
Port Scanning (more)
• FTP Bounce - Bounces a TCP scan off of an FTP server to
obscure the originator of the scan
• RPC Scanning - Scans for Remote Procedure Call (RPC)
services on the target machine, send an RPC null command
to determine if an RPC program is listening
Windows Specific Services
NetBIOS (TCP Ports 137, 138, 139) – used for Windows networking
to connect clients to file and print servers. Should never be allowed
through the Firewall except through an encrypted tunnel (as in a
VPN)
RPC Locator (TCP Port 135) – used by Windows networking to
locate network services that use the RPC protocol. Should never be
allowed through the Firewall.
Terminal Services (TCP Port 3389) – gives the connecting complete
control over the host machine. Should never be allowed through the
Firewall except through an encrypted tunnel (as in a VPN)
Standard UNIX Services
•
•
•
•
•
•
•
•
•
•
Chargen (TCP and/or UDP port 19)
Daytime (TCP and/or UDP Port 13)
Discard (TCP and/or UDP Port 9)
Echo (TCP and/or UDP Port 7)
Finger (TCP Port 79)
NFS (TCP and/or UDP Port 2049)
Quote (UDP Port 17)
RPC (UDP Port 111)
RSH (TCP Port 514)
SSH (TCP Port 22)
Platform Neutral Services
•
•
•
•
•
•
•
•
•
Telnet (TCP Port 23)
TFTP (UDP Port 69)
Bootp (UDP Port 67)
DHCP (UDP Port 68)
LDAP (TCP and/or UDP Port 389)
SNMP (UDP Port 161)
VNC (TCP Ports 5800+, 5900+)
HTTP (TCP Port 80)
HTTPS (TCP Port 443)
UDP Scans
• Because UDP is a much simpler protocol than TCP is it is
inherently less reliable for scanning
• A UDP packet is sent to each UDP port
• If an ICMP “Port Unreachable” message is received then interpret
the port as being closed
• Otherwise assume the port is open
• False positives are very common
TCP Stack Fingerprinting
• The TCP RFC defines how TCP should respond under
normal conditions (no protocol violations) but not how to
act in response to protocol violation
• If you spend the time attempting a number of protocol violation
and record the responses they will always be the same for specific
operating systems/versions
• These responses can be treated as fingerprints and allow a hacker to
determine what OS is being addressed.
• Nmap maintains a rather complete database of known operating
system fingerprints and can pretty reliably identify most major
operating systems
Defenses Against Port Scanning
• Harden your systems
•
•
•
•
Make sure all OS patches are installed
Close all ports not needed
Delete all programs associated with closed ports
If you are comfortable managing your server via a command line
interface remember to disable the GUI interface
• Don’t forget to delete the X Windows software
• Remove all unneeded software from your server
• A production web server shouldn’t need software development
software, so remove all of the compilers
• Scan your systems before the hackers do, find your
vulnerabilities before they do.
Defenses (more)
• Use stateful packet filtering so that not only the current
packet is taken into consideration
• Intruders can scan right past a standard packet filter
• Use a proxy based firewall
• Gives application layer protection
• Requires complete connections
• SYN Scans and ACK Scans can’t get through
Determining Firewall Rules
• Firewalk
• www.packetfactory.net/Projects/firewalk-final.html
• Allows you to determine what packets are allowed through a
firewall
• Nmap allows you to check what is happening at the end-point
machines, Firewalk allows you to send packets through a packet
filtering device to determine what it is set up to pass
• Similar to traceroute, works off of the TTL field in the IP header
Review
•
•
•
•
•
List of Live Hosts – Ping and Cheops
Network Topology – traceroute and Cheops
List of Open Ports – Nmap
Operating Systems on Live Hosts – Nmap
Ports Open Through Packet Filters - Firewalk
Vulnerability Scanning
• Connect to a host and automatically detect if a
vulnerability exists
• Common configuration errors
• Default configuration weaknesses
• Well known system vulnerabilities
Vulnerability Scanning Tools
•
•
•
•
Vulnerability Database
User Configuration Tool
Scanning Engine
Knowledge base of
current active scan
• Results repository and
Report Generator
User
Target
Configuration
Tool
Target
Scanning
Vulnerability
Engine
Database
Target
Knowledge
Base of
Active Scan
Target
Results
Repository
And Reports
Bunch of Vulnerability Scanners
• Free
•
•
•
•
SARA – www-arc.com/sara
SAINT – www.wwdsi.com/saint
VLAD – razor.bindview.com/tools
Nessus – www.nessus.org
• Commercial
• CyberCop Scanner – www.mcafeeb2b.com/services/cybercop-asap.asp
•
•
•
•
ISS Internet Scanner – www.iss.net
eEye Retina Scanner – www.eeye.com
Qualys’ QualysGuard – subscription based – www.qualys.com
Vigilante SecureScan – subscription based – www.vigilante.com
Wi-Fi
• Wardriving
•
•
•
•
Name comes from movie War Games
Similar in concept to Wardialing
Also Warwalking and Warbiking
Drive around and discover wireless hot spots
• Publish where located (GPS coordinates) : www.wigle.net
• Legality
• US : Not clearly defined
– New Hampshire – working on bill to clarify responsibility to secure
wireless networks
• UK : "use of a computer for a purpose for which one does not have
permission" is against the law
• Tools
• Netstumbler
– Windows active mode tool that polls looking for wi-fi networks
• Kismet
– Most platforms – passive mode tool; does network detection, packet
sniffing and IDS