IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts,...

27
IP Network Scanning

Transcript of IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts,...

Page 1: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

IP Network ScanningIP Network Scanning

Page 2: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

2

OutlineOutline

What is IP network scanning?What is IP network scanning? Concepts, motivationConcepts, motivation

Example ToolExample Tool nmapnmap

Scanning typesScanning types Host discoveryHost discovery port scanning port scanning Version detectionVersion detection OS detectionOS detection

Page 3: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

3

What is Scanning?What is Scanning?

Method to gather Method to gather information regarding the d information regarding the d evices running on the network evices running on the network

Typically to discover services or servers on a Typically to discover services or servers on a networknetwork

Which hosts are up?Which hosts are up? Which services are offering?Which services are offering?

Do not confuse with Do not confuse with ““host vulnerability host vulnerability scannerscanner”” which further explore a computer which further explore a computer by testing for common vulnerabilitiesby testing for common vulnerabilities (nessus, SAINT)

Page 4: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

4

Why Scanning?Why Scanning? Network Security assessmentNetwork Security assessment

Evaluation and Auditing the securityEvaluation and Auditing the security Firewall Penetration Test (Policy auditing)Firewall Penetration Test (Policy auditing) IDS proof/evaluationIDS proof/evaluation Identifying unexpected new serversIdentifying unexpected new servers

Identifying open ports forIdentifying open ports for proactively protect the network proactively protect the network (N(N etwork and se etwork and se

curity admin curity admin)) attacking it (Hackers)attacking it (Hackers)

Page 5: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

5

nmapnmap A well known and free security scanner A well known and free security scanner

written by Fyodor (written by Fyodor (http://insecure.org/nmap/))

First released Sept 1, 1997 in Phrack 51 “The Art of Port Scanning” (http://www.phrack.org/issues.html?issue=51(http://www.phrack.org/issues.html?issue=51

Many updates since then: OS Detection (http://www.phrack.org/issues.html?issue=54&id=9#article) Version scanning ARP Scanning

Version 5.00 as of this docVersion 5.00 as of this doc

Usage:Usage:

nmap [scan types] [options] <host or net nmap [scan types] [options] <host or net ……>>

Page 6: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

6

Why nmap

An excellent toolAn excellent tool Long history of development and supportLong history of development and support Continuous development and Continuous development and

improvementsimprovements ““Industry Standard” port scannerIndustry Standard” port scanner

Page 7: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

7

nmap featuresnmap features Host Discovery: Which host is alive?Host Discovery: Which host is alive?

Identifying computers on a network, for example listing the Identifying computers on a network, for example listing the computers which respond to pings (Ping Sweeps)computers which respond to pings (Ping Sweeps)

Port Scanning : What services are available?Port Scanning : What services are available? Enumerating the open Enumerating the open portsports on one or more on one or more target computerstarget computers

Service and Service and Version Detection Version Detection : Which version is : Which version is running?running? DD etermine the application name and version number etermine the application name and version number

OS Detection: What platforms are served?OS Detection: What platforms are served? Remotely determining the OS and some hardware Remotely determining the OS and some hardware

characteristics of network devicescharacteristics of network devices

Page 8: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

8

Host DiscoveryHost Discovery

Querying multiple hosts using this method is Querying multiple hosts using this method is referred to as referred to as ping sweepsping sweeps

The most basic step in mapping out a network.The most basic step in mapping out a network.

Several Sweeps techniqueSeveral Sweeps technique ICMP SweepsICMP Sweeps Broadcast ICMPBroadcast ICMP NON Echo ICMPNON Echo ICMP TCP sweepTCP sweep UDP sweepUDP sweep

Page 9: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

9

Host Discovery : ICMP SweepsHost Discovery : ICMP Sweeps TechniqueTechnique

sending an ICMP ECHO request (ICMP type 8)sending an ICMP ECHO request (ICMP type 8) If an ICMP ECHO reply (ICMP type 0) is received : target is alive; If an ICMP ECHO reply (ICMP type 0) is received : target is alive; No response: target is downNo response: target is down

Pros & ConsPros & Cons easy to implementeasy to implement fairly slow, easy to be blockedfairly slow, easy to be blocked

Scanner Target

ICMP ECHO request

ICMO ECHO reply

Scanner Target

a host is alive

a host is down/filtered

ICMP ECHO request

No response

Page 10: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

10

Host Discovery : Broadcast Host Discovery : Broadcast ICMPICMP

Sending ICMP ECHO request to the Sending ICMP ECHO request to the network and/or broadcast addressesnetwork and/or broadcast addresses Windows ignored this Windows ignored this Most routers blocked thisMost routers blocked this

Page 11: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

11

Host Discovery : Non-ECHO Host Discovery : Non-ECHO ICMPICMP

ICMP type 13 messages (TIMESTAMP), ICMP type 13 messages (TIMESTAMP), Query Current TimeQuery Current Time

ICMP type 17 messages (ADDRESS MASK ICMP type 17 messages (ADDRESS MASK REQUEST)REQUEST) diskless systems to obtain its subnet mask at diskless systems to obtain its subnet mask at

bootstrap time (RFC 792)bootstrap time (RFC 792)

Page 12: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

12

Host Discovery : TCP SweepsHost Discovery : TCP Sweeps

Sending TCP ACK or TCK SYN packetsSending TCP ACK or TCK SYN packets The port number can be selected to avoid The port number can be selected to avoid

blocking by firewallblocking by firewall Usually a good pick would be 21 / 22 / 23 / 25 / Usually a good pick would be 21 / 22 / 23 / 25 /

8080

But.. firewalls can spoof a RESET packet for But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be an IP address, so TCP Sweeps may not be reliable.reliable.

Page 13: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

13

Host Discovery : UDP SweepsHost Discovery : UDP Sweeps

Relies on the ICMP PORT UNREACHABLERelies on the ICMP PORT UNREACHABLE Assume the port is opened if no ICMP PORT Assume the port is opened if no ICMP PORT

UNREACHABLE message is received after sending a UNREACHABLE message is received after sending a UDP datagramUDP datagram

Cons:Cons: Routers can drop UDP packets as they cross the InternetRouters can drop UDP packets as they cross the Internet Many UDP services do not respond when correctly probedMany UDP services do not respond when correctly probed Firewalls are usually configured to drop UDP packets Firewalls are usually configured to drop UDP packets

(except for DNS)(except for DNS) UDP sweep relies on the fact that a non-active UDP port UDP sweep relies on the fact that a non-active UDP port

will respond with an ICMP PORT UNREACHABLE messagewill respond with an ICMP PORT UNREACHABLE message

Page 14: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

14

nmap Host Discovery summarynmap Host Discovery summary sL: List Scan - simply list targets to scansL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is -sP: Ping Scan - go no further than determining if host is

onlineonline -PN: Treat all hosts as online -- skip host discovery-PN: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given

portsports -PE/PP/PM: ICMP echo, timestamp, and netmask request -PE/PP/PM: ICMP echo, timestamp, and netmask request

discovery probesdiscovery probes -PO [protocol list]: IP Protocol Ping-PO [protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: -n/-R: Never do DNS resolution/Always resolve [default:

sometimes]sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers--dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver--system-dns: Use OS's DNS resolver -    sU: UDP Scan-    sU: UDP Scan

Page 15: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

15

Port ScanningPort Scanning

To determine what services are running or To determine what services are running or in a LISTENINGin a LISTENING

Some well known typesSome well known types TCP Connect ScanTCP Connect Scan TCP SYN scanTCP SYN scan Stealth scanStealth scan FTP bounce scanFTP bounce scan

Page 16: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

16

Port Scanning : TCP Connect Port Scanning : TCP Connect ScanScan Use basic TCP connection establishment mechanism; complete 3-ways handshakeUse basic TCP connection establishment mechanism; complete 3-ways handshake Easily to detect by inspecting the system log Easily to detect by inspecting the system log

Scanner Target

SYN

SYN/ACK

ACK

Scanner Target

SYN

RST/ACK

a port is opened

a port is closed

Page 17: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

17

Port Scanning : Port Scanning : TCP SYN scanTCP SYN scan Do not establish a complete connection (Half Open Do not establish a complete connection (Half Open

scanning)scanning) send a SYN packet and wait for a responsesend a SYN packet and wait for a response If an SYN/ACK is received=> the port is LISTENINGIf an SYN/ACK is received=> the port is LISTENING

immediately tear down the connection by sending a RESETimmediately tear down the connection by sending a RESET If an RST/ACK is received =>a non-LISTENING port. If an RST/ACK is received =>a non-LISTENING port.

Scanner Target

SYN

SYN/ACK

Scanner Target

SYN

RST/ACK

a port is closed

a port is opened

RST

Page 18: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

18

Port Scanning : Stealth ScanPort Scanning : Stealth Scan TT o gather information about target sites while o gather information about target sites while

avoiding detection avoiding detection Try to hide themselves among normal network Try to hide themselves among normal network

traffictraffic Not to be logged by logging mechanism (stealth)Not to be logged by logging mechanism (stealth)

TechniquesTechniques Flag Probe packets (Also called Flag Probe packets (Also called ““Inverse mappingInverse mapping””))

Response is sent back only by closed portResponse is sent back only by closed port By determining what By determining what services services do notdo not exist, an intruder ca exist, an intruder ca

n infer what n infer what serviceservice dodo exist exist Slow scansSlow scans rate rate

difficult to detect difficult to detect =>need=>need long long history history loglogCERT reported this technique in CERT® Incident Note IN-98.04http://www.cert.org/incident_notes/IN-98.04.html

Page 19: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

19

Port Scanning : Port Scanning : Stealth MappingStealth Mapping RFC793: to handle wrong state packetsRFC793: to handle wrong state packets

closed ports : reply with a RESET packet to wrong state packetsclosed ports : reply with a RESET packet to wrong state packets opened ports : ignore any packet in questionopened ports : ignore any packet in question

TechniqueTechnique A RST scanA RST scan A FIN probe with the FIN TCP flag setA FIN probe with the FIN TCP flag set An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags setAn XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set A NULL probe with no TCP flags setA NULL probe with no TCP flags set

Scanner Target

Probe packet

No response

Scanner Target

RST/ACK

a port is closed

a port is opened

Probe packet

Page 20: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

20

Port Scanning : FTP Port Scanning : FTP Bounce scanningBounce scanning Connects to an FTP server, and establishes a control communication connection, ask the FTP Connects to an FTP server, and establishes a control communication connection, ask the FTP

server to initiate an active server data transfer processserver to initiate an active server data transfer process Rather slowRather slow Some FTP servers disable the Some FTP servers disable the ““ProxyProxy”” feature, but there are still many who do not feature, but there are still many who do not

PORT 10,0,0,5,0,22PORT 10,0,0,5,0,22

(10.0.0.(10.0.0.4)4) (10.0.0.(10.0.0.5)5)

TCP SYNTCP SYN

RSTRST

425 425 Cannot build data connectionCannot build data connection

Scanner FTP Target

Page 21: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

21

Port Scanning with nmap Port Scanning with nmap

SCAN TECHNIQUES:SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sN/sF/sX: TCP Null, FIN, and Xmas scans-sN/sF/sX: TCP Null, FIN, and Xmas scans -b <FTP relay host>: FTP bounce scan-b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports-p <port ranges>: Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast mode - Scan fewer ports than the default scan-F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize-r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports--top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio>--port-ratio <ratio>: Scan ports more common than <ratio>

Page 22: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

22

Services and Versions DetectionServices and Versions Detection

The The nmapnmap--serviceservice--probesprobes database contains database contains probes for querying various services and m probes for querying various services and m

atch expressions to recognize and parse res atch expressions to recognize and parse responsesponses

Page 23: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

23

Operating System DetectionOperating System Detection

Banner, DNS HINFO and Banner, DNS HINFO and …… TCP/IP fingerprinting (IP stack TCP/IP fingerprinting (IP stack

implementation will response implementation will response differently)differently) FIN probe, Bogus Flag probeFIN probe, Bogus Flag probe TCP initial sequence number sampling, TCP initial TCP initial sequence number sampling, TCP initial

window, ACK valuewindow, ACK value ICMP error quenching, message quoting, ICMP ICMP error quenching, message quoting, ICMP

echo integrityecho integrity IP: DF, TOS, FragmentationIP: DF, TOS, Fragmentation

Page 24: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

24

OS Detection : ExamplesOS Detection : Examples

ACK : sending FIN|PSH|URG to a closed portACK : sending FIN|PSH|URG to a closed port most OS : ACK with the same sequence numbermost OS : ACK with the same sequence number Windows: ACK with sequence number+1Windows: ACK with sequence number+1

Type of Service: Type of Service: Probing with an Probing with an ICMP_PORT_UNREACHABLEICMP_PORT_UNREACHABLE messagemessage most OS : TOS = 0most OS : TOS = 0 Linux : TOS= 0xC0Linux : TOS= 0xC0

Page 25: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

25

Version and OS Detection with Version and OS Detection with nmapnmap

SERVICE/VERSION DETECTION:SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info-sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all --version-intensity <level>: Set from 0 (light) to 9 (try all

probes)probes) --version-light: Limit to most likely probes (intensity 2)--version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9)--version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for --version-trace: Show detailed version scan activity (for

debugging)debugging)  OS DETECTION: OS DETECTION:

    --OO:: Enable OS detection Enable OS detection  -- -            osscan limit: Limit OS detection to promising tar  -- -            osscan limit: Limit OS detection to promising targetsgets    ----osscanosscan--guessguess:: Guess OS more aggressively Guess OS more aggressively

Page 26: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

26

Port Scanning DetectionPort Scanning Detection

For Administrators to detect scanningFor Administrators to detect scanning Logs suspicious packetsLogs suspicious packets Identifies connections not properly Identifies connections not properly

terminatedterminated Records ports usageRecords ports usage

Page 27: IP Network Scanning. 2 Outline What is IP network scanning? What is IP network scanning? Concepts, motivation Concepts, motivation Example Tool Example.

27

Port Scanning DetectionPort Scanning Detection

For hacker to dodge from detectionFor hacker to dodge from detection Randomize the sequence of ports to prevent Randomize the sequence of ports to prevent

detectiondetection Slow scan: exceed the site detection threshold in Slow scan: exceed the site detection threshold in

IDS, 2 packets/day/site!IDS, 2 packets/day/site! Decoy: spoofed address in attackDecoy: spoofed address in attack Coordinated Scans: multiple scanners probe the Coordinated Scans: multiple scanners probe the

same host or networksame host or network