Scanning 1

Scanning

Scanning 2

Attack Phases Phase 1: Reconnaissance Phase 2: Scanning Phase 3: Gaining access

o Application/OS attackso Network attacks/DoS attacks

Phase 4: Maintaining access Phase 5: Covering tracks and hiding

Scanning 3

Scanning After recon phase attacker has…

o Phone numbers, contact infoo Domain names, IP addresseso Maybe some details about

infrastructure Next, scanning

o Like burglar trying doors and windows

Scanning 4

Scanning Good guys

o Must secure every entry pointo Must work in a dynamic environmento Must deal with those pesky users

Attackero Only needs to find one holeo Can take as long as necessary

“Sadly unfair” (all-too-common in security)

Scanning 5

Scanning Techniques War driving War dialing Network mapping Port scanning Vulnerability scanning IDS and IPS

Scanning 6

War Driving Scan for wireless access points

o Preferably, not secured WLANs War driving started by Peter

Shipleyo Drove around Bay Area in 2001

Now a very popular activityo Defcon has a WarDriving contest

(including map of open access points)

Scanning 7

War Driving Must be within 100 yards or so to

reliably send/receive WLAN But, detectable from a mile or more War driver wants to find ESSID of WLAN

o ESSID == Extended Service Set Identifiero ESSID is WLAN’s “name”o ESSID acts like a password (almost)o By default, ESSID is sent in the clearo Can configure access point to not send

ESSID…

Scanning 8

War Driving 802.11 “probe” message

o Required to send ESSID in probe msgo But send “any” for ESSID and…o … some access points respond with ESSID!

So, Trudy simply asks for ESSIDo And sometimes she gets it

Can configure to require BSSID (Basic SSID)o I.e., the MAC address must be on approved listo This helps, but only a little…

Scanning 9

War Driving Many tools available Three basic techniques

o Active scanningo Passive scanningo Forced de-authentication

Tools use one (or more) of these

Scanning 10

NetStumbler Active 802.11 scanning tool

o Sends “probe” packets with “any” ESSIDo Access point within range might respondo Like “running down the street shouting…”

For Windows 2k, also version for PDAs Optionally uses GPS to locate access pts One hour in NYC: found 455 access pts

Scanning 11

NetStumbler Gathers MAC address, ESSID,

channel, and signal strengtho Also, IP address (using DHCP)o Whether it is using WEP or not

Limitationso Many access pts ignore “any” ESSIDo Highly unstealthy

Scanning 12

Wellenreiter Passive scanning tool Puts wireless card in rfmon mode

o Aka “monitor mode”o Better than promiscuous modeo Gets everything---no connection neededo Even if encrypted, ESSID still sent in clear

Can dump packets into Wireshark Also interfaces with GPS

Scanning 13

Wellenreiter Gets ESSID, MAC, IP addresses

o Entirely passive If access pt not sending ESSID

o “Non-broadcasting”, name is unknown…

o …until user “authenticates” to access pt Related tool: Kismet

o Detailed packet analysis, not war driving

Scanning 14

Wellenreiter

Scanning 15

Forced De-authentication Suppose that a particular access pt…

o Does not accept “any”o Does not broadcast ESSIDo Clients have previously authenticatedo No clients currently communicating

Invisible to NetStumber, “non-broadcasting” to Wellenreiter

What can Trudy do?

Scanning 16

ESSID-Jack Assuming Trudy has access pt MAC

addresso Get MAC from Wellenreiter, Kismet

De-authentication requires no “authentication”o That is, the ESSID is not requiredo Only need access point’s MAC address

ESSID-Jack sends de-authentication msg Then what happens?

Scanning 17

ESSID-Jack

Client(s) automatically re-authenticateo ESSID-Jack

gets ESSIDo So Trudy gets

ESSID

Scanning 18

War Driving Defenses Set ESSID to nondescript name

o 1234 instead of BankOfAmerica Do not broadcast ESSID Require authentication MAC address for authentication?

o Easily spoofedo Unix/Linus tool: SirMACsAlot

Scanning 19

WEP

WEP == Wired Equivalent Privacy WEP uses RC4 for confidentiality

o Considered a strong ciphero But WEP introduces a subtle flaw

WEP uses CRC for “integrity”o Should have used a crypto hash

insteado CRC is for error detection, not integrity

Scanning 20

WEP Integrity Problems WEP “integrity” does not provide

integrityo CRC is linear, so is stream cipher XORo Can change ciphertext and CRC so that

checksum remains correct --- undetectedo This requires no knowledge of the plaintext!o Even worse if plaintext is known

CRC is not a cryptographic integrity check!o CRC designed to detect random errorso Not designed to detect intelligent changes

Scanning 21

WEP Key WEP encryption: long-term secret key, K RC4 is a stream cipher, so each packet

must be encrypted using a different keyo Initialization Vector (IV) sent with packeto Sent in the clear (IV is not secret)

Actual RC4 key for packet is (IV,K)o That is, IV is pre-pended to K

Scanning 22

Initialization Vector “Issue”

WEP uses 24-bit (3 byte) IV o Each packet gets a new IVo RC4 packet key: IV pre-pended to long-term

key, K Long term key K seldom (if ever) changes If long-term key and IV are same, then

same keystream is usedo This is bad! o It is at least as bad as reuse of one-time pad

Scanning 23

Initialization Vector “Issue”

Assume 1500 byte packets, 11 Mbps link Suppose IVs generated in sequence

o Then 1500 8/(11 106) 224 = 18,000 seconds

o Implies IV must repeat in about 5 hours Suppose IVs generated at random

o By birthday problem, some IV repeats in seconds

Again, repeated IV (with same K) is bad!

Scanning 24

WEP Active Attacks WEP: “Swiss cheese” of security

protocols If Trudy can insert traffic and observe

corresponding ciphertexto Then she will know keystream for that IVo And she can decrypt next msg that uses that

IV If Trudy knows destination IP address

o She can change IP address in ciphertexto And modify CRC so it is correcto Then access point will decrypt and forward

packet to Trudy’s selected IP address!o Requires no knowledge of the key K

Scanning 25

War Driving Defenses WEP is of limited value WPA (Wi-Fi Protected Access)

o RC4, 48 bit IV, “MIC” (named Michael) for integrity, replay protection, etc.

o Works with same hardware as WEP 802.11i (or WPA2)

o Like WPA but crypto is better (AES)o Requires different hardware than WEP

Can try to detect unusual activity Turn down the volume…

Scanning 26

Wireless Security VPN == Virtual Private Network

o Secure “tunnel” between endpointso Not wireless-specifico But can be used to secure wireless

VPN provides extra layer of securityo On top of WEP or WPAo Author says, do not use IKE pre-shared

keys in aggressive mode

Scanning 27

War Dialing Dial lots of phone numbers

o Looking for unprotected modemso One PC can scan 1k numbers/night

The movie War Games (circa 1983)o Kid tries to break into game

company…o …and accidentally starts WWIIIo Plot (such as it is) hinges on war

dialing

Scanning 28

War Dialing Can this possibly still be an issue?

o User might want to bypass annoying VPN

o Admin might want remote access User might install remote access tool

o pcAnywhere, for exampleo Only protection from war dialer is pwd?

Scanning 29

War Dialing How to find phone numbers to try?

o Internet, Whois database, organization’s Web site, social engineering, …

Maybe try numbers with same prefix

Easy to test 1,000s of numbers

Scanning 30

THC-Scan Free war dialing tool

Scanning 31

THC-Scan Can dial sequence, random, or list

o “Random” to avoid detection Parallel process on multiple machines Nudging

o Try to determine useful info Can randomize interval between dialing Detect jamming (based on busy signals) If human answers, “hangs up” (click)

Scanning 32

THC-Scan Not too user-friendly

o User must look at logs Some numbers…

o Might not require any passwordo Might require special software

(pcAnywhere)o Such info gathered via “nudging”

If password is required, o Trudy can try password cracking

Scanning 33

War Dialing Defenses Modem policy

o When possible, use VPN If possible, allow dial-out only War dial against yourself

o Find modems before attacker doeso For Windows, can use Windows

Management Instrumentation (WMI) scripts Visual inspection

Scanning 34

Network Mapping At this point, attacker is either… On the outside looking in

o I.e., on Internet looking at target DMZ Has inside access

o Attached to WLAN found war drivingo Connected via a modem found war dialing

Next, step is to analyze target networko Looking for potential targetso Critical hosts, routers, firewalls, …

Scanning 35

Network Mapping Mapping tools will be aimed

wherever attacker can reacho If outside, map DMZ, Web server, etc.o If inside, map internal network

In either case, same toolso Similar methods

Scanning 36

Sweeping Want an inventory of accessible

systems Could ping every possible address

o But often blocked by firewall Send TCP packets to common port(s)

o Look for SYN-ACK to come back Send UDP packets with unusual port

o If closed, may get “port unreachable”o But, maybe nothing is sent back

Scanning 37

Traceroute TTL field in IP header

o Usually decremented by each router When TTL reaches 0…

o Router kills packeto Sends ICMP time exceeded msg to source

Tracerouteo UNIX: traceroute uses UDP packetso Windows: tracert uses ICMP packets

Scanning 38

Traceroute Map routers from source to

dest

Scanning 39

tracert In Windows

Scanning 40

Ping and Traceroute Might

find, for example:

Scanning 41

Automated Tool

Cheops-ngo Freeo Pretty

pictureso Lots of info

(type of OS …)

o Useful for admins too

Scanning 42

Network Mapping Defenses

Block incoming ICMP packetso Except those you want outsiders to ping

Block outgoing ICMP time exceededo Except for specific addresseso Then (***) responses in traceroute

Limits attacker’s ability to map networko Also limits good uses of these features

Scanning 43

Port Scanning At this point, attacker knows…

o Addresses of live systemso Basic network topology

Now what? Assume Trudy is outsider Trudy wants to determine open ports

o 65k TCP ports and 65k UPD portso Well-known ports correspond to serviceso Open port is a doorway into machine

Scanning 44

Port Scanning Port scanning

o Knock on “doors” (ports) to see which are open

Why not simply try all TCP and UDP ports?o Not stealthy

Instead can try limited rangeo More stealthy, but might miss something

Could instead just go slowo Maybe too slow (or Trudy is too impatient)

Distributed port scan?

Scanning 45

Nmap Nmap --- most popular port scan

toolo Developed by Fydoro Free at www.insecure.orgo Unix, Linux and Windows versionso Command line and GUIo Appeared in The Matrix Reloaded

Many many options…

Scanning 46

Nmapfe

“Nmap front end”

Scanning 47

TCP 3-Way Handshake Recall the 3-way handshake…

Scanning 48

TCP Connect Scan “Polite scan” Complete the TCP 3-way handshake

o Nmap sends SYN, wait for SYN-ACKo If port is open, Nmap sends ACK, then FINo If closed, no reply, RESET, ICMP unreachable

Plusses?o Should not cause problem for target

Minuses?o Not stealthy, Trudy’s IP address in logs, etc.

Scanning 49

TCP SYN Scans Nmap sends SYN

o Gets SYN-ACK, ICMP unreachable, etc.o In any case, Nmap sends RESETo I.e., only 2/3rds of 3-way handshake

completed Plusses?

o Stealthier (may not be logged by host)o Faster, fewer packets

Minuses?o Accidental DoS attack?

Scanning 50

FIN Scan FIN scan

o Send FIN for non-existent connectiono Port closed, protocol says send RESETo Port open, protocol says nothingo No reply may indicate port is open

Scanning 51

Xmas Tree and Null Scans Xmas tree scan

o All flag bits set: URG,ACK,PSH,RST,SYN,FIN Null scan

o Send packet with no flag bits set Both of these violate protocol Expect same behavior as FIN scan Note: These do not work against

Windowso Since Windows does not follow the RFCs

Scanning 52

TCP ACK Scan Simpleminded packet filter might…

o Allow outbound, established connectionso Block incoming if ACK bit not set

Scanning 53

TCP ACK Scan Packet filter assumes

o ACK bit set established connection How can Trudy take advantage of

this? Send packets with ACK bit set!

o These pass thru open portso Allows for simple port scan of firewall

Scanning 54

TCP ACK Scan

No response/unreachable: filtered RESET if port is not filtered

Scanning 55

TCP ACK Scan Trudy learns…

o Kinds of established connections that are allowed thru packet filter

ACK scan used to determining filtering rules

ACK scan not so useful for scanning open ports on a hosto Different OSs respond differentlyo Some RESET if port is open, some if port

closed

Scanning 56

FTP Bounce Scan Obscures source of scan

o So Trudy’s address not loggedo Stealthy

Relies on FTP forwardingo User can request that a file be

forwarded to another machineo Mostly disabled today

Scanning 57

FTP Bounce Scan FTP server informs attacker of result

Scanning 58

Idle Scanning

Suppose no forwarding FTP server Another way to obscure source of

scan IP header has ID field

o Used to group fragments togethero ID must be unique per packeto Often just increment a counter

(Windows)

Scanning 59

Idle Scanning Pick a machine to blame for scan Blamed machine…

o Attacker must be able to send/receiveo Must have predictable IP IDso Mostly idle, does not send much traffic

(why?)o So IP IDs are predictable

Make it look like this machine scanso See next slide

Scanning 60

Idle Scanning Prepare to scan

Scanning 61

Idle Scan For the scan… Attacker sends spoofed SYN to target

o “Source” is the blamed machineo Selected port

Port listening: SYN-ACK to blamed machineo Blamed machine sends RESET to target

Port closed: RESET/nothing to blamedo Blamed machine sends nothing

So what???

Scanning 62

Idle Scanning Recall, last IP ID is X (next is X + 1)

Scanning 63

Idle Scan Very clever! Nmap automates this May need to repeat multiple times

o If blamed guy is not “idle enough” May want to use several blamed

guys Other improvements?

Scanning 64

UDP? Much simpler, so fewer scan options Not so easy to violate protocol Nmap provides “polite scan”

o Not stealthy If ICMP unreachable, port is closed If UDP packet sent back, then port is

open If nothing comes back… don’t know

Scanning 65

Version Scanning Nmap detect service/software on a port

o In case service does not use official porto And to determine software versiono Can determine services that use SSL

After 3-way handshake, service usually identifies itselfo If not, Nmap sends some probing packetso UDP services are similarly easy to ID

Scanning 66

Ping Sweeps Nmap provides ping sweeps too If incoming ICMP blocked, Nmap

does sweep using TCP packetso To find live hosts, not as a port scan

Scanning 67

RPC Scans

Nmap can scan for RPC applications

o RPC is for distributed apps

o Makes distributed app easy to program

Scanning 68

RPC Scans Familiar RPC services (Linux/UNIX)

o Rpc.rstatd: performance stats from kernelo Rwalld: msgs to logged in userso Rup: up time and load avg of a serviceo Sadmind: older service for Solaris admino Rpc.statd: used with NFS

Many vulnerabilities in RPCo RPC scan may provide useful info to

attacker

Scanning 69

Source Port Nmap can set source port

o To avoid filtering at target Might set source port to 80 or 25

o Looks like Web traffic, email Source port 20 also useful

o Looks like FTP data connectiono Why FTP?

Scanning 70

FTP

Difficult for simple packet filtero Due to control connection (port 21) and

data connection (port 20) UDP port 53 (DNS) also a good choice

Scanning 71

Decoys

Spoofed source addresses If attacker uses n decoys

o Then n + 1 packets sent to each porto One with correct source address

(except for FTP bounce or idle scans)…

o …and n with specified spoofed sources

What good does this do?

Scanning 72

Active OS Fingerprinting Attacker wants to know the OS How to do this? RFCs do not specify everything

o E.g., how to respond to illegal combinations of TCP control bits

o Nmap knows the inconsistencies

Scanning 73

Active OS Fingerprinting Nmap uses the following

o SYN packet to open porto NULL packet to open porto SYN|FIN|URG|PSH to open porto ACK to open porto FIN|PSH|URG to closed porto UDP packet to closed port

Scanning 74

Active OS Fingerprinting Predictability of initial sequence

numbers also used by Nmapo Nmap has database of > 1000 platforms

Xprobe2 --- active OS fingerprinting toolo Stealthier and more accurate than Nmap

Passive OS fingerprinting is possibleo No traffic sent to targeto Sniff packets sent by targeto This is covered in Chapter 8

Scanning 75

Nmap Timing Options Paranoid --- one packet per 5 minutes Sneaky --- one packet per 15 seconds Polite --- one packet per 0.4 seconds Normal --- as quickly as possible Aggressive --- wait max of 1.25 sec for

reply Insane --- Wait max of 0.3 sec for reply

o Will lose packets, resulting in false negatives Timing also customizable

Scanning 76

Fragmentation Nmap also allows fragmentation Helps against some IDS systems

o Discuss later…

Scanning 77

Port Scanning Defenses

Harden the systemo Close unused

portso Minimize

services/toolso Check ports in

use

Scanning 78

Port Scanning Defenses Scan yourself using Nmap

o But this can cause problems Use more intelligent firewalls

o Stateful packet filters or proxies…o …instead of packet filters

Scanning 79

Firewalk Determines what gets thru firewall

o Assuming a packet filter firewall Nmap vs Firewalk

o Nmap does port scan of hostso What happens if you Nmap a firewall?o Tells you ports firewall is listening ono But, you want to know filtered ports

Scanning 80

Firewalk Nmap vs Firewalk But what about Nmap ACK scan?

o Attacker learns which ports firewall allows established connections

o But SYN packets might be dropped Firewalk tells attacker ports that firewall

allows new connections ono More useful info to attacker

Scanning 81

Firewalk Requires 2 IP addresses

o Address before filtering takes place (i.e., external address of firewall)

o Destination on other side of firewall Firewalk has 2 phases

o Network discovery (like traceroute)o Actual scanning

Scanning 82

Firewalk Network discovery phase

o Use TTL to find hops to firewall

Scanning 83

Firewalk Scanning phase

o Packet sent to host behind firewall

o Note: this works even if NAT is used

Scanning 84

Firewalk TTL field crucial to Firewalk Packet filter and stateful packet

filters both decrement TTL fieldo So Firewalk can work against these

Application proxy firewall?o Proxy does not forward packeto Instead, creates a new packet… so

what?

Scanning 85

Firewalk How can Trudy use Firewalk

results? To install software, must know

which ports can be used Scan for new services on open

portso Example: SSH (TCP port 22) open, but

no SSH not availableo SSH temporarily activated by admin…

Scanning 86

Firewalk Defenses Learn to live with it

o Since based on TCP/IP fundamentalso Focus on better firewall rules/mgmt

Use proxy-based firewallo Might create problemso Likely to be much slower

Scanning 87

Attack So Far… Trudy knows

o Addresses of live hosts (ping, Cheops-ng)

o Network topology (Traceroute, Cheops-ng)

o Open ports on live hosts (Nmap)o Services & version numbers (Nmap)o OS types (Nmap, Xprobe2)o Ports open thru firewall (Firewalk)

Scanning 88

Vulnerability Scanning Now what? Trudy want to know vulnerabilities Tools automate process

o Connect to host, test for vulnerabilities Types of vulnerabilities

o Configuration errorso Default configuration weaknesseso Well-known (published) vulnerabilities

100s to 1000s of vulnerabilities

Scanning 89

Vulnerability Scanning Tools

Tools typically employ the followingo Vulnerability databaseo User configurationo Scanning engineo Knowledge base of current scano Results/report/repository

Scanning 90

Vulnerability Scanning Tools

Scanning 91

Vulnerability Scanning Tools

Commercial tools include…o Harris STAT Scannero ISS’a Internet Scannero CFI LANguard Scannero E-eye’s Retina Scannero Qualys’s QualysGuard (subscription based)o McAfee’s Foundstone Foundscan (also

subscription based)

Scanning 92

Nessus Nessus --- the most popular free

vulnerability scanning toolo Can write your own vulnerability

checks and lots of people have already done so

Nessus plug-inso More than 1,000 plug-ins in

categories

Scanning 93

Nessus Plug-Ins Categories of plug-ins are…

o Backdoors, CGI abuses, Cisco, Default UNIX accounts, DoS, Finger abuses, Firewalls, FTP, Gain shell remotely, Gain root remotely, General, Misc, Netware, NIS, P2P file sharing, Remote file access, RPC, SMTP, SNMP, Windows, Useless services

Each category: 2 to 100s of vulnerabilities

Scanning 94

Nessus Architecture Client-server architecture

o Client-server authentication, encryption, etc.

Scanning 95

Nessus Attacker selects…

o Plug-ins, target system, port range/type of scanning, port for Nessus client-server communication, encryption alg, email address for report

Attacker can also write scripts

Scanning 96

Nessus Report Nessus

report format Other tools

make Nessus report more readable and informative

Scanning 97

Vulnerability Scan Defenses

Close unused ports Install latest patches Run tools against your network

o Be careful of DoS…

Scanning 98

Nessus DoS

Options

Some risky, some not

Pwd guess could also be problem

Scanning 99

Limitations of Vulnerability Scanning

Tools Only detect known vulnerabilities Tools don’t understand network

architectureo Attacker might

Only gives a snapshot in timeo Environment is dynamic

Scanning 100

IDS (and IPS) Scanning tools are noisy Port scan may use 10,000s of

packets Vulnerability scan may send

100,000s or millions of packets IDS likely to notice such activity Attacker must try to evade IDS

Scanning 101

IDS Mostly signature based

Scanning 102

IDS Evasion To avoid signature detection… Change traffic

o Change packet structure or syntax Change the context

o IDS might not know full context

Scanning 103

IDS Evasion at Network Level

Fragments create problem for IDS Must reassemble fragments Attacker could…

o Use fragments --- IDS may not handle it

o Fragment flood --- overwhelm IDSo Fragment in unusual ways --- to

exploit weakness in IDS handling of fragments

Scanning 104

Fragmentation Tiny fragments

o Not too effective vs modern IDS

Scanning 105

Fragmentation Fragment overlap

o Handled differently by different OSs…o Which makes IDSs job is more difficult

Scanning 106

FragRouter and FragRoute FragRouter --- fragmentation tool Options include

o Various sized fragmentso Various overlapping schemes

Separates fragmentation from the attack

Scanning 107

IDS Evasion at App Level Nitko --- CGI scanner (IDS evasion) CGI scripts run on server, activated by

user on the network Large number of CGI scripts vulnerable Nessus does some CGI scanning Nitko much more sophisticated

o For attacks, makes subtle changes in HTTP to evade signature detection

Scanning 108

Nikto IDS evasion strategies

o Hex equivalents of characters, “Change” to current directory, URL does not include CGI script info (instead, placed in HTTP header), Long (nonexistent but ignored) directory name, Fake parameter(s), TAB separations (instead of spaces), Case, Windows delimiters (backslash), NULL method, Session splicing (separate TPC packets, not fragments)

Scanning 109

IDS Evasion Defenses Use IDS, regardless of attacks Keep signatures up to date Use host-based & network-based

IDSo For example, fragmentation attack

easier to detect with host-based defense

Scanning 110

Conclusion

Scanning 111

Summary