Transcript Lesson 7
Scanning and Spoofing
Lesson 7
Scanning
• Ping Sweeps
• Port Scanners
• Vulnerability Scanning tools
Ping Sweep
• PING (Packet INternet Groper)
• A utility designed to determine whether or not a
remote system is accessible.
• Using PING, attackers can send an ICMP
echo request to every address within a range
to determine which systems are “up and
running”
• Every system that is up will respond with an
echo reply, providing a list of potential targets
PING Sweeps
Unused Address
10.1.1.9
Echo Request
Attacker
Echo Request
Echo Reply
10.1.1.10
Echo Request
Unused Address
10.1.1.11
Target List
10.1.1.10
PING Sweeps
• Less effective today than in the past
• Recent rise in DoS attacks which also use ICMP have
resulted in administrators setting their systems to reject
inbound ICMP echo requests.
• Can still be effective for insiders or attackers who
have been able to penetrate at least one system.
• There are a number of different packages that can
be downloaded that accomplish this type of scan.
Port Scanning
• A Port Scanner is a program that checks a
computer’s TCP/IP stack for ports that are
in the LISTEN state.
• There are 65,535 possible ports
• 1-1023 are considered “well known”
• 1024-49151 are called “registered ports”
• 49152-65,535 are dynamic or private ports
• RFC 793 defines how TCP will react to FIN,
ACK, and SYN packets.
RFC 793
If the state is CLOSED (that is, Transmission Control Block does not exist) then
all data in the incoming segment is discarded. An incoming segment containing
a RESET (RST) is discarded. An incoming segment not containing a RST
causes a RST to be sent in response. The acknowledgment and sequence field
values are selected to make the reset sequence acceptable to the TCP that sent
the offending segment.
If the state is LISTEN then first check for an RST, An incoming RST should be
ignored. Second check for an ACK. Any acknowledgment is bad if it arrives on
a connection still in the LISTEN state. An acceptable reset segment should be
formed for any arriving ACK-bearing segment. Third check for a SYN, if the
SYN bit is set, check the security. IF the security/compartment on the incoming
segment does not exactly match the security/compartment in the TCB then send
a reset and return.
Some Well-known ports
Port Number
20
21
23
25
53
79
80
110
443
Network Service
File Transfer Protocol (FTP) Data
File Transfer Protocol (FTP) Control
Telnet
Simple Mail Transfer Protocol (SMTP)
Domain Name Server (DNS)
Finger
World Wide Web (HTTP)
Post Office Protocol – Version 3
HTTPS
Port Scanning
• In a Port Scan, the system will attempt to connect
to specific (or all) ports on the remote system to
see which respond.
• Responding ports are considered “open” and the
attacker can then attempt to exploit (especially
known services on well-known ports).
• Large number of tools available to perform port
scanning. nmap is one of the most popular tools
that can perform a port scan.
Port Scanning
Attacker
79
80
80
81
Web server
82
Services List
HTTP
Types of Port Scanning
• TCP SYN Scanning – “half open” scanning. Sends a SYN packet to each
•
•
•
•
•
remote port. Open ports respond with a SYN/ACK packet. Closed ports
usually respond with an RST packet.
TCP FIN Scanning – Sends a FIN packet (normally sent to clear connection
when conversation is finished). Closed ports usually respond with an RST
packet. Open ports usually ignore FIN packets.
UDP Scanning – often more difficult than TCP since UDP services will not
respond. If an ICMP “port unreachable” message is received, however, it is an
indication the service is NOT running. If the message is NOT received…
Fragmentation Scanning – break scan up into several smaller packets. This
may result in being able to hide the scan from firewalls and IDS.
Relay or bounce scanning – send scan through another system (proxy or
forwarding gateway), may confuse/hide origin of attack
Decoy scanning – send a large number of spoofed packets along with your real
one so they hide the real scan.
Vulnerability Scanning
• One approach to vulnerability scanning is to
• Use a port-scanning tool such as nmap to identify the OS and
to log all listening ports
• May return something like
– Linux Kernel 2.2 with ports 21, 25, 53, 80 listening
• What the ports are and what vulnerabilities that may exist in them is
an exercise left up to the user.
• The purpose of a vulnerability scanner is to detect the
presence of specific vulnerabilities
• Common components for vulnerability scanners
• Vulnerability data – information about known vulnerabilities, how
knowledgeable is the tool?
• Scanning mechanism – the “guts” of the scanner, how accurate is the
tool?
• Reporting mechanism – interface with user
Types of vulnerability scanners
• Commercial scanners: developed and sold by companies (e.g. ISS and
•
•
•
•
•
Cisco).
• Due to development time, often lag freeware scanners.
Freeware scanners: developed and released “in the community”
General-purpose scanners: look for a wide range of vulnerabilities on a large
number of operating systems and applications. Often used in a security audit.
Application scanners: written to examine a specific application for
vulnerabilities associated with it.
Service scanners: Scanning tool used to examine a specific network service,
such as WWW, for common vulnerabilities associated with that service.
Specific vulnerability scanners: written to only check for a specific
vulnerability.
Possible information from scanning
•
•
•
•
•
•
•
•
•
Which systems are active
What services are available/listening
What operating system is in use
Which version of an application is running
Which users have an account on the system and which are active
What the security configuration/settings are
Whether certain patches have been installed
Information about specific vulnerabilities
Possibly whether a specific exploit will be successful
Ways to recognize scanning
• System log file analysis – look for multiple, short duration
connections or connection attempts.
• Network traffic – monitor the volume of inbound and
outbound network traffic. If you have established a profile of
what is normal activity you will be able to recognize spikes in
the activity level which may indicate scanning activity.
• Firewall and router logs – look for multiple rejections or
access violations coming from the same source or group of
sources.
• Intrusion detection systems – most IDS contain built-in
methods for examining traffic to detect scanning attempts.
Defending against Scanning and its
effects
•
•
•
•
•
•
•
•
•
•
Block ports at your router/firewall.
Block ICMP, including echo
Create a DMZ
Use bastion hosts/proxy servers
Use NAT to hide private, internal IP addresses
Remove default/sample materials
Remove unnecessary services
Restrict permissions
Change default headers associated with services
Keep applications and operating systems patched
SATAN (security tool)
Spoofing
• “a sophisticated technique of authenticating
one machine to another by forging packets
from a trusted source address.”
Types of Spoofing
• IP Spoofing – an attacker uses an IP address of
another computer to acquire info.
• Email Spoofing – involves spoofing the from
address of an email.
• Web Spoofing – a site may not be what it appears
to be or what its url would imply it is.
• Non-technical Spoofing – concentrates on
compromising the human element of a company.
IP Spoofing
• This may simply consist of forging the from
address in an IP packet so it appears to have
come from somewhere else.
• Often used to trick target machine into
believing packet is coming from a host it
trusts, thus getting the target machine to
perform some task.
• To do appropriately it may involve sniffing,
spoofing, and DoS attack
Two themes present in these
definitions
• Trust
• “the relationship between machines that are authorized to
connect to one another.”
• Authentication
• “the process those machines use to identify each other.”
• Generally these two have an inverse relationship:
• If a high degree of trust exists between two machines, the
amount of authentication is low.
• If little trusts exists between the machines, a great deal of
authentication is required.
Authentication and Trust
• Most common method of authentication is the
userid/password combination.
• If a user on a local network wants to access
another system on the local network, having to
supply the password to log on is a nuisance.
Consequently, a trusted relationship may be
established where one local system will trust the
other to have authenticated the user originally and
will thus not require additional authentication.
• An example of this is the UNIX .rhosts and
hosts.equiv files.
Trusted relationships in UNIX
• .rhosts file is used to establish a trusted relationship
between machines. Used by rlogin, rsh, and rcp to
determine which remote hosts and users are considered
“trusted” and are allowed to access the host without
supplying a password.
• rlogin (remote login), rsh (remote shell), rcp (remote copy)
• File consists of
• A host name, indicating that this user is trusted when accessing the
system from the specified host, or
• A host name followed by a login name, which indicates that the
listed login name is trusted when accessing the system from the
specified host
.rhosts example
• If user1 had the following .rhosts file in their home
directory (/home/user1/.rhosts)
system2
system4
system5 user2
system2 user5
It would mean
user1 could log in from system2 as user1
user1 could log in from system4 as user1
user1 could log in from system5 as user2
user1 could also log in from system2 as user5
/etc/hosts.equiv file example
• /etc/hosts.equiv are essentially equivalent to a system-wide
.rhosts file and contain lines with hostnames. If system1
contained the /etc/hosts.equiv file:
system2
system4
system5
It would indicate that any user on system2, system4, or
system5 could log into system1 without having to supply
a password.
This assumes that an equivalent username exists on
system1 as the one being used on the accessing system
(i.e. system2, system4, or system5).
A + in the /etc/hosts.equiv file says all systems trusted.
Authentication and UNIX Trusted
relationships
• UNIX will base its trust decision, using the
.rhosts or hosts.equiv files, on the IP address
of the connecting system.
• But…. The IP address (and most other fields)
of an IP header can be forged!!!
IP Spoofing on LAN
Trusted System 2
Trusted System 1
OK, here it is...
Huh? I didn’t ask for that...
This is System 1,
Please send file A
Attacker
Attacker
IP Spoofing on LAN
Trusted System 2
Trusted System 1
OK, here it is...
DoS attack
launched
Attacker uses
sniffer to grab
This is System 1,
file
Please send file A
Attacker
Attacker
IP Spoofing across the Internet
Trusted System 2
Trusted System 1
OK, I’ve done it
Login as
user X
DoS attack
launched
Attacker
Attacker
This is System 1,
Please add user X
to your password file
Spoofing
• In the preceding slides, the actions represented by
the “OK, I’ve done it” or the “OK, here it is” lines
may actually consist of a series of messages with
appropriate responses.
• The attacker knows what the responses should be,
so the attacker can send them, timed appropriately,
to ensure the connection is maintained.
Blind spoofing
• In non-blind spoofing the response sent by
the target machine can be observed
(sniffed).
• In blind spoofing, the target’s responses can
not be observed.
The steps of a spoofing attack
• Identify the target of the attack (a system with a
•
•
•
•
trusted relationship with another).
“Eliminate” (DOS attack) the host you wish to
spoof.
Forge the address of the host being spoofed in
your packet to be sent to the target.
Send the spoofed packet to the target
Keep the connection active by guessing the correct
sequence number used by the target machine.
Sequence numbers
• Used to acknowledge receipt of data.
• Remember 3-way handshake process
• Client sends TCP packet with an initial
sequence number.
• Server responds with it’s own sequence number
and an acknowledgement (ACK).
• The client acknowledges receipt by sending
packet with server’s number plus one.
Guessing the sequence number
• For non-blind spoofing, no problem as you
can see the responses.
• For blind spoofing:
• Contact the target and attempt several
connections
• Target will respond with a sequence number for
each
• Analyze the responses to determine the pattern
the target uses for incrementing
Once you’ve succeeded…
• Attempt to secure a better connection
• Modify password file
• Modify hosts.equiv or .rhosts file
• Shut down spoofed connection (stop the
DOS attack). Now log into the target host
using new account or based on trusted
relationship.
IP Spoofing Prevention Tips
• General rule of thumb: Don’t have any
trusted relationships if you can help it.
• Don’t accept packets from outside of your
network that claim to be originating from
inside of your network.
Email Spoofing
• Similar email address – some may not consider
this real spoofing
• Register email address at site such as hotmail that is
similar to target’s email address
• e.g. if target is [email protected], register
[email protected]
• Modify mail client – some will allow you to
modify what will be put in the From line.
• Telnet to Port 25 – allows you to completely
specify From line
• Attacker acts like mail server connected to port
Web Spoofing
• Basic web spoofing – register domain name
similar to target’s name
• Man-in-the-Middle attacks – attacker positions
himself so all traffic to target goes through him.
(e.g. compromise router)
• Won’t be able to read encrypted traffic but plenty goes
unencrypted.
• URL rewriting – change url’s on target to point to
attacker which then redirects.
Non-Technical Spoofing
• Social engineering – call target and pretend to be
somebody else (e.g. call help desk as new user)
• Reverse social engineering – generally harder to
accomplish. Get somebody to call you (e.g. send
target users a post card congratulating them on
purchase of new computer, promise them 5 hours
of free tech support and provide them a number—
yours—to call)
Summary
• Scanning
• Spoofing
• Adversary Uses