Chapter 2Chapter 2

ScanningScanning

Last modified 2-2-11

Determining If The System Is Alive Determining If The System Is Alive

Determining If The System Is Alive Determining If The System Is Alive

Network Ping SweepsNetwork Ping Sweeps– Ping is traditionally used to send ICMP ECHO Ping is traditionally used to send ICMP ECHO

(Type 8) packets to a target system(Type 8) packets to a target system– Response is ICMP ECHO_REPLY (Type 0) Response is ICMP ECHO_REPLY (Type 0)

indicating the target system is alive indicating the target system is alive – Traffic can be ICMP, ARP, TCP, or UDPTraffic can be ICMP, ARP, TCP, or UDP

ARP Host Discovery

Demo: Cain

ARP Host Discovery

ARP Scan

Advantages – Operates at layer 2– A firewall will not conceal a device from an

ARP scan

Disadvantage– Must be on target’s network segment– Cannot scan through routers

ARP Scanning Tools

arp-scan– Linux command-line tool

Nmap-PR to do ARP scan-sn to skip host discovery

Cain– Sniffer tab– Enable sniffer– Click +

Demo:Nmap

ICMP Packet TypesICMP Packet Types

Message Type: 0 - Echo ReplyMessage Type: 0 - Echo ReplyMessage Type: 3 - Destination UnreachableMessage Type: 3 - Destination UnreachableMessage Type: 4 - Source QuenchMessage Type: 4 - Source QuenchMessage Type: 5 - RedirectMessage Type: 5 - RedirectMessage Type: 8 – Echo RequestMessage Type: 8 – Echo RequestMessage Type: 11 - Time ExceededMessage Type: 11 - Time ExceededMessage Type: 12 - Parameter ProblemMessage Type: 12 - Parameter ProblemMessage Type: 13 - TimestampMessage Type: 13 - TimestampMessage Type: 14 - Timestamp ReplyMessage Type: 14 - Timestamp ReplyMessage Type: 15 - Information RequestMessage Type: 15 - Information RequestMessage Type: 16 - Information ReplyMessage Type: 16 - Information ReplyMessage Type: 17 – Address Mask RequestMessage Type: 17 – Address Mask RequestMessage Type: 18 – Address Mask ReplyMessage Type: 18 – Address Mask Reply

ICMP Queries ICMP Queries

icmpquery uses ICMP type 13 icmpquery uses ICMP type 13 (TIMESTAMP) to find the system time, (TIMESTAMP) to find the system time, which shows its timezonewhich shows its timezone

ICMP type 17 (ADDRESS MASK ICMP type 17 (ADDRESS MASK REQUEST) shows the subnet maskREQUEST) shows the subnet mask– Link Ch 2nLink Ch 2n

Network Discovery Tools

Nmap ICMP Options

nping (Included with Nmap)

SuperScanSuperScan

Windows Windows freewarefreewareNot so fast Not so fast anymoreanymoreDoes PING Does PING scanning, using scanning, using several types of several types of ICMP packetsICMP packetsAlso does port Also does port scanning, banner scanning, banner grabbing, whois, grabbing, whois, and enumerationand enumeration

Unix Ping Detection ToolsUnix Ping Detection Tools

ScanlogdScanlogd

CourtneyCourtney

IpplIppl

ProtologProtolog

ICMP BlockingICMP Blocking

ICMP is often blocked these daysICMP is often blocked these days– Blocked by default in Win XP SP2, Win 2003 Blocked by default in Win XP SP2, Win 2003

SP 1, and VistaSP 1, and Vista

If ICMP is blocked, use port scanningIf ICMP is blocked, use port scanning– Slower than ping sweepingSlower than ping sweeping

SuperScan for WindowsSuperScan for Windows

Nmap for Linux, Unix, or WindowsNmap for Linux, Unix, or Windows

Hping2 for Unix (can fragment packets)Hping2 for Unix (can fragment packets)

Ping Sweeps Countermeasures Ping Sweeps Countermeasures

Detecting Ping SweepsDetecting Ping Sweeps– Network-based Intrusion Detection Systems Network-based Intrusion Detection Systems

like Snort detect ping sweepslike Snort detect ping sweeps– Ping scans will be in the host logsPing scans will be in the host logs– Firewalls can detect ping scansFirewalls can detect ping scans

Blocking ICMPBlocking ICMP

Routers may require some ICMP packets, Routers may require some ICMP packets, but not all typesbut not all types

Safest procedure would be to allow ICMP Safest procedure would be to allow ICMP only from your ISP, and only to public only from your ISP, and only to public servers on your DMZservers on your DMZ

Other ICMP ThreatsOther ICMP Threats

ICMP can be used for a Denial of Service ICMP can be used for a Denial of Service attackattack

ICMP can be used as a covert channel ICMP can be used as a covert channel with Lokiwith Loki– Allowing unauthorized data transferAllowing unauthorized data transfer– Such as control signals for a back-door trojanSuch as control signals for a back-door trojan– Links Ch 2l, Ch 2mLinks Ch 2l, Ch 2m

Determining Which Services Determining Which Services are Running or Listeningare Running or Listening

2121

Normal TCP HandshakeNormal TCP Handshake

ClientClient SYN SYN ServerServer

ClientClient SYN/ACK SYN/ACK ServerServer

ClientClient ACKACK ServerServer

After this, you are ready to send dataAfter this, you are ready to send data

2222

SYN Port ScanSYN Port ScanClientClient SYN SYN ServerServer

ClientClient SYN/ACK SYN/ACK ServerServer

ClientClient RSTRST ServerServer

The server is ready, but the client decided The server is ready, but the client decided not to complete the handshakenot to complete the handshake

2323

Types of Port ScansTypes of Port Scans

SYN scanSYN scan– Stealthy scan, because session handshakes are Stealthy scan, because session handshakes are

never completednever completed– That keeps it out of some log filesThat keeps it out of some log files– Three statesThree states

ClosedClosed

OpenOpen

FilteredFiltered

2424

Types of Port ScansTypes of Port Scans

Connect scanConnect scan– Completes the three-way handshakeCompletes the three-way handshake– Not stealthy--appears in log filesNot stealthy--appears in log files– Three statesThree states

ClosedClosed

OpenOpen

FilteredFiltered

Other Scan TypesOther Scan Types

TCP FIN scan TCP FIN scan

TCP Xmas Tree scan (FIN, URG, and TCP Xmas Tree scan (FIN, URG, and PUSH)PUSH)

TCP Null scan TCP Null scan – Handled differently by Linux and WindowsHandled differently by Linux and Windows

TCP ACK scan TCP ACK scan – Returns RST unless the port is filteredReturns RST unless the port is filtered

UDP ScanningUDP Scanning

No handshake, so less useful than TCP No handshake, so less useful than TCP scansscans

Much more powerful in newer versions of Much more powerful in newer versions of NmapNmap

Sends valid UDP requests to well-known Sends valid UDP requests to well-known portsports– Send a DNS query to port 53, etc.Send a DNS query to port 53, etc.

Response indicates open UDP portResponse indicates open UDP port

TCP HeaderTCP Header

WINDOWWINDOW indicates the amount of data that may indicates the amount of data that may be sent before an acknowledgement is requiredbe sent before an acknowledgement is required

TCP Window ScanTCP Window Scan

Sends ACK packetsSends ACK packets– Both open and closed ports reply with RST Both open and closed ports reply with RST

packetspackets– But on some operating systems, the But on some operating systems, the

WINDOW size in the TCP header is non-zero WINDOW size in the TCP header is non-zero for open ports, because the listening service for open ports, because the listening service does sometimes send datadoes sometimes send data

– Link Ch 2xLink Ch 2x

RPC ScanRPC Scan

SunRPC (Sun Remote Procedure Call) is SunRPC (Sun Remote Procedure Call) is a common UNIX protocol used to a common UNIX protocol used to implement many services including NFS implement many services including NFS (Network File System)(Network File System)

The RPC scan works on Unix systems, The RPC scan works on Unix systems, including Solarisincluding Solaris

Enumerates RPC services, which are rich Enumerates RPC services, which are rich in exploitable security holesin exploitable security holes– See link Ch 2ySee link Ch 2y

NmapNmap

Interesting optionsInteresting options-f -f fragments packetsfragments packets

-D-D Launches decoy scans for Launches decoy scans for concealmentconcealment

-I-I IDENT Scan – finds owners of IDENT Scan – finds owners of processesprocesses

(on Unix systems)(on Unix systems)

-b-b FTP Bounce (see next slide)FTP Bounce (see next slide)

FTP BounceFTP Bounce

1. Transfer attack code to FTP server

2. Request file transfer to target

Attacker

FTP Server

Target

FTP BounceFTP Bounce

Old FTP servers allowed a request for a Old FTP servers allowed a request for a file transfer to a third IP addressfile transfer to a third IP address

This could be used to send email or other This could be used to send email or other data to the third computer from the FTP data to the third computer from the FTP serverserver

Very old attack, from 1995Very old attack, from 1995

Almost unusable todayAlmost unusable today

Windows-Based Port Scanners Windows-Based Port Scanners

SuperScanSuperScan– Four different ICMP host-discovery Four different ICMP host-discovery

techniquestechniques– Accurate UDP scan sending "Data+ICMP" Accurate UDP scan sending "Data+ICMP" – Banner grabbingBanner grabbing– Many other toolsMany other tools

Nmap with the Zenmap GUINmap with the Zenmap GUI– Powerful, runs on WindowsPowerful, runs on Windows

Command-line ScannersCommand-line Scanners

ScanlineScanline– For WindowsFor Windows

netcatnetcat– For Windows and LinuxFor Windows and Linux

nmapnmap– Can be run on the command line, on Windows Can be run on the command line, on Windows

or Linuxor Linux

Port Scanning Countermeasures Port Scanning Countermeasures

Snort (http://www.snort.org) is a great free Snort (http://www.snort.org) is a great free IDS (Intrusion Detection System)IDS (Intrusion Detection System)– [**] spp_portscan: PORTSCAN DETECTED [**] spp_portscan: PORTSCAN DETECTED from 192.168.1.10 [**] 05/22-from 192.168.1.10 [**] 05/22-18:48:53.681227 [**] spp_portscan: 18:48:53.681227 [**] spp_portscan: portscan status from 192.168.1.10: 4 portscan status from 192.168.1.10: 4 connections across 1 hosts: TCP(0), connections across 1 hosts: TCP(0), UDP(4) [**] 05/22-18:49:14.180505 [**] UDP(4) [**] 05/22-18:49:14.180505 [**] spp_portscan: End of portscan from spp_portscan: End of portscan from 192.168.1.10 [**] 05/22-18:49:34.180236192.168.1.10 [**] 05/22-18:49:34.180236

Other Detection ToolsOther Detection Tools

ScanlogdScanlogd– Detects TCP Port Scans on UnixDetects TCP Port Scans on Unix

Firewalls can detect port scansFirewalls can detect port scans– Use Use threshold loggingthreshold logging to limit the volume of to limit the volume of

email alerts sent by your firewallemail alerts sent by your firewall– That groups similar alerts into a single emailThat groups similar alerts into a single email

AttackerAttacker– Windows tool from Foundstone to detect port Windows tool from Foundstone to detect port

scansscans

Preventing Port ScansPreventing Port Scans

You can't stop the scans from coming in, You can't stop the scans from coming in, but you can mimimize your attack surfacebut you can mimimize your attack surface

Disable unnecessary servicesDisable unnecessary services

Detecting the Operating System Detecting the Operating System

Banner-GrabbingBanner-Grabbing– Many services announce what they are in Many services announce what they are in

response to requestsresponse to requests– Banner grabbers just collect those bannersBanner grabbers just collect those banners– But they could be spoofedBut they could be spoofed

Active Stack Fingerprinting Active Stack Fingerprinting

Details of the TCP Packets are used to Details of the TCP Packets are used to identify the operating systemidentify the operating system

Nmap does this, using these probes:Nmap does this, using these probes:– FIN probe FIN probe – Bogus Flag probe Bogus Flag probe – Initial Sequence Number (ISN) sampling Initial Sequence Number (ISN) sampling – "Don't fragment bit" monitoring "Don't fragment bit" monitoring – TCP initial window size TCP initial window size

And many othersAnd many others

Operating System Detection Operating System Detection Countermeasures Countermeasures

IDS can detect operating system detection IDS can detect operating system detection scansscans

Hacking the OS to change its TCP stack is Hacking the OS to change its TCP stack is dangerous, and not recommendeddangerous, and not recommended

Best policy: Accept that your firewalls and Best policy: Accept that your firewalls and proxy servers will be scanned and proxy servers will be scanned and fingerprinted, and harden them against fingerprinted, and harden them against attackers who know the OSattackers who know the OS

Passive Operating System Passive Operating System Identification Identification

Sniff traffic and guess the OS from thatSniff traffic and guess the OS from that

Examine these featuresExamine these features– TTLTTL (time-to-live) (time-to-live)– Window sizeWindow size– DFDF (Don't fragment bit) (Don't fragment bit)

siphon was the first tool to do this, it's out siphon was the first tool to do this, it's out of dateof date

p0f is a newer one (link Ch 2z6)p0f is a newer one (link Ch 2z6)

p0f on Vistap0f on Vista

Run p0f in a Command Prompt WindowRun p0f in a Command Prompt Window

Open a Web pageOpen a Web page

It fingerprints any OS it can see on the It fingerprints any OS it can see on the LANLAN

Nmap Plus MetasploitNmap Plus Metasploit

Nmap scans can be imported into Nmap scans can be imported into Metasploit for further exploitationMetasploit for further exploitation

Details at end of chapter 2Details at end of chapter 2

Automated Discovery Tool: Automated Discovery Tool: Cheops-ngCheops-ng

Combines Ping, Combines Ping, Traceroute, Port Traceroute, Port Scans, and OS Scans, and OS Detection to draw Detection to draw a network mapa network map– Link Ch 2z7Link Ch 2z7

Windows 7's Windows 7's "Network Map" is "Network Map" is similarsimilar