Chapter 2Chapter 2
ScanningScanning
Last modified 2-2-11
Determining If The System Is Alive Determining If The System Is Alive
Determining If The System Is Alive Determining If The System Is Alive
Network Ping SweepsNetwork Ping Sweeps– Ping is traditionally used to send ICMP ECHO Ping is traditionally used to send ICMP ECHO
(Type 8) packets to a target system(Type 8) packets to a target system– Response is ICMP ECHO_REPLY (Type 0) Response is ICMP ECHO_REPLY (Type 0)
indicating the target system is alive indicating the target system is alive – Traffic can be ICMP, ARP, TCP, or UDPTraffic can be ICMP, ARP, TCP, or UDP
ARP Host Discovery
Demo: Cain
ARP Host Discovery
ARP Scan
Advantages – Operates at layer 2– A firewall will not conceal a device from an
ARP scan
Disadvantage– Must be on target’s network segment– Cannot scan through routers
ARP Scanning Tools
arp-scan– Linux command-line tool
Nmap-PR to do ARP scan-sn to skip host discovery
Cain– Sniffer tab– Enable sniffer– Click +
Demo:Nmap
ICMP Packet TypesICMP Packet Types
Message Type: 0 - Echo ReplyMessage Type: 0 - Echo ReplyMessage Type: 3 - Destination UnreachableMessage Type: 3 - Destination UnreachableMessage Type: 4 - Source QuenchMessage Type: 4 - Source QuenchMessage Type: 5 - RedirectMessage Type: 5 - RedirectMessage Type: 8 – Echo RequestMessage Type: 8 – Echo RequestMessage Type: 11 - Time ExceededMessage Type: 11 - Time ExceededMessage Type: 12 - Parameter ProblemMessage Type: 12 - Parameter ProblemMessage Type: 13 - TimestampMessage Type: 13 - TimestampMessage Type: 14 - Timestamp ReplyMessage Type: 14 - Timestamp ReplyMessage Type: 15 - Information RequestMessage Type: 15 - Information RequestMessage Type: 16 - Information ReplyMessage Type: 16 - Information ReplyMessage Type: 17 – Address Mask RequestMessage Type: 17 – Address Mask RequestMessage Type: 18 – Address Mask ReplyMessage Type: 18 – Address Mask Reply
ICMP Queries ICMP Queries
icmpquery uses ICMP type 13 icmpquery uses ICMP type 13 (TIMESTAMP) to find the system time, (TIMESTAMP) to find the system time, which shows its timezonewhich shows its timezone
ICMP type 17 (ADDRESS MASK ICMP type 17 (ADDRESS MASK REQUEST) shows the subnet maskREQUEST) shows the subnet mask– Link Ch 2nLink Ch 2n
Network Discovery Tools
Nmap ICMP Options
nping (Included with Nmap)
SuperScanSuperScan
Windows Windows freewarefreewareNot so fast Not so fast anymoreanymoreDoes PING Does PING scanning, using scanning, using several types of several types of ICMP packetsICMP packetsAlso does port Also does port scanning, banner scanning, banner grabbing, whois, grabbing, whois, and enumerationand enumeration
Unix Ping Detection ToolsUnix Ping Detection Tools
ScanlogdScanlogd
CourtneyCourtney
IpplIppl
ProtologProtolog
ICMP BlockingICMP Blocking
ICMP is often blocked these daysICMP is often blocked these days– Blocked by default in Win XP SP2, Win 2003 Blocked by default in Win XP SP2, Win 2003
SP 1, and VistaSP 1, and Vista
If ICMP is blocked, use port scanningIf ICMP is blocked, use port scanning– Slower than ping sweepingSlower than ping sweeping
SuperScan for WindowsSuperScan for Windows
Nmap for Linux, Unix, or WindowsNmap for Linux, Unix, or Windows
Hping2 for Unix (can fragment packets)Hping2 for Unix (can fragment packets)
Ping Sweeps Countermeasures Ping Sweeps Countermeasures
Detecting Ping SweepsDetecting Ping Sweeps– Network-based Intrusion Detection Systems Network-based Intrusion Detection Systems
like Snort detect ping sweepslike Snort detect ping sweeps– Ping scans will be in the host logsPing scans will be in the host logs– Firewalls can detect ping scansFirewalls can detect ping scans
Blocking ICMPBlocking ICMP
Routers may require some ICMP packets, Routers may require some ICMP packets, but not all typesbut not all types
Safest procedure would be to allow ICMP Safest procedure would be to allow ICMP only from your ISP, and only to public only from your ISP, and only to public servers on your DMZservers on your DMZ
Other ICMP ThreatsOther ICMP Threats
ICMP can be used for a Denial of Service ICMP can be used for a Denial of Service attackattack
ICMP can be used as a covert channel ICMP can be used as a covert channel with Lokiwith Loki– Allowing unauthorized data transferAllowing unauthorized data transfer– Such as control signals for a back-door trojanSuch as control signals for a back-door trojan– Links Ch 2l, Ch 2mLinks Ch 2l, Ch 2m
Determining Which Services Determining Which Services are Running or Listeningare Running or Listening
2121
Normal TCP HandshakeNormal TCP Handshake
ClientClient SYN SYN ServerServer
ClientClient SYN/ACK SYN/ACK ServerServer
ClientClient ACKACK ServerServer
After this, you are ready to send dataAfter this, you are ready to send data
2222
SYN Port ScanSYN Port ScanClientClient SYN SYN ServerServer
ClientClient SYN/ACK SYN/ACK ServerServer
ClientClient RSTRST ServerServer
The server is ready, but the client decided The server is ready, but the client decided not to complete the handshakenot to complete the handshake
2323
Types of Port ScansTypes of Port Scans
SYN scanSYN scan– Stealthy scan, because session handshakes are Stealthy scan, because session handshakes are
never completednever completed– That keeps it out of some log filesThat keeps it out of some log files– Three statesThree states
ClosedClosed
OpenOpen
FilteredFiltered
2424
Types of Port ScansTypes of Port Scans
Connect scanConnect scan– Completes the three-way handshakeCompletes the three-way handshake– Not stealthy--appears in log filesNot stealthy--appears in log files– Three statesThree states
ClosedClosed
OpenOpen
FilteredFiltered
Other Scan TypesOther Scan Types
TCP FIN scan TCP FIN scan
TCP Xmas Tree scan (FIN, URG, and TCP Xmas Tree scan (FIN, URG, and PUSH)PUSH)
TCP Null scan TCP Null scan – Handled differently by Linux and WindowsHandled differently by Linux and Windows
TCP ACK scan TCP ACK scan – Returns RST unless the port is filteredReturns RST unless the port is filtered
UDP ScanningUDP Scanning
No handshake, so less useful than TCP No handshake, so less useful than TCP scansscans
Much more powerful in newer versions of Much more powerful in newer versions of NmapNmap
Sends valid UDP requests to well-known Sends valid UDP requests to well-known portsports– Send a DNS query to port 53, etc.Send a DNS query to port 53, etc.
Response indicates open UDP portResponse indicates open UDP port
TCP HeaderTCP Header
WINDOWWINDOW indicates the amount of data that may indicates the amount of data that may be sent before an acknowledgement is requiredbe sent before an acknowledgement is required
TCP Window ScanTCP Window Scan
Sends ACK packetsSends ACK packets– Both open and closed ports reply with RST Both open and closed ports reply with RST
packetspackets– But on some operating systems, the But on some operating systems, the
WINDOW size in the TCP header is non-zero WINDOW size in the TCP header is non-zero for open ports, because the listening service for open ports, because the listening service does sometimes send datadoes sometimes send data
– Link Ch 2xLink Ch 2x
RPC ScanRPC Scan
SunRPC (Sun Remote Procedure Call) is SunRPC (Sun Remote Procedure Call) is a common UNIX protocol used to a common UNIX protocol used to implement many services including NFS implement many services including NFS (Network File System)(Network File System)
The RPC scan works on Unix systems, The RPC scan works on Unix systems, including Solarisincluding Solaris
Enumerates RPC services, which are rich Enumerates RPC services, which are rich in exploitable security holesin exploitable security holes– See link Ch 2ySee link Ch 2y
NmapNmap
Interesting optionsInteresting options-f -f fragments packetsfragments packets
-D-D Launches decoy scans for Launches decoy scans for concealmentconcealment
-I-I IDENT Scan – finds owners of IDENT Scan – finds owners of processesprocesses
(on Unix systems)(on Unix systems)
-b-b FTP Bounce (see next slide)FTP Bounce (see next slide)
FTP BounceFTP Bounce
1. Transfer attack code to FTP server
2. Request file transfer to target
Attacker
FTP Server
Target
FTP BounceFTP Bounce
Old FTP servers allowed a request for a Old FTP servers allowed a request for a file transfer to a third IP addressfile transfer to a third IP address
This could be used to send email or other This could be used to send email or other data to the third computer from the FTP data to the third computer from the FTP serverserver
Very old attack, from 1995Very old attack, from 1995
Almost unusable todayAlmost unusable today
Windows-Based Port Scanners Windows-Based Port Scanners
SuperScanSuperScan– Four different ICMP host-discovery Four different ICMP host-discovery
techniquestechniques– Accurate UDP scan sending "Data+ICMP" Accurate UDP scan sending "Data+ICMP" – Banner grabbingBanner grabbing– Many other toolsMany other tools
Nmap with the Zenmap GUINmap with the Zenmap GUI– Powerful, runs on WindowsPowerful, runs on Windows
Command-line ScannersCommand-line Scanners
ScanlineScanline– For WindowsFor Windows
netcatnetcat– For Windows and LinuxFor Windows and Linux
nmapnmap– Can be run on the command line, on Windows Can be run on the command line, on Windows
or Linuxor Linux
Port Scanning Countermeasures Port Scanning Countermeasures
Snort (http://www.snort.org) is a great free Snort (http://www.snort.org) is a great free IDS (Intrusion Detection System)IDS (Intrusion Detection System)– [**] spp_portscan: PORTSCAN DETECTED [**] spp_portscan: PORTSCAN DETECTED from 192.168.1.10 [**] 05/22-from 192.168.1.10 [**] 05/22-18:48:53.681227 [**] spp_portscan: 18:48:53.681227 [**] spp_portscan: portscan status from 192.168.1.10: 4 portscan status from 192.168.1.10: 4 connections across 1 hosts: TCP(0), connections across 1 hosts: TCP(0), UDP(4) [**] 05/22-18:49:14.180505 [**] UDP(4) [**] 05/22-18:49:14.180505 [**] spp_portscan: End of portscan from spp_portscan: End of portscan from 192.168.1.10 [**] 05/22-18:49:34.180236192.168.1.10 [**] 05/22-18:49:34.180236
Other Detection ToolsOther Detection Tools
ScanlogdScanlogd– Detects TCP Port Scans on UnixDetects TCP Port Scans on Unix
Firewalls can detect port scansFirewalls can detect port scans– Use Use threshold loggingthreshold logging to limit the volume of to limit the volume of
email alerts sent by your firewallemail alerts sent by your firewall– That groups similar alerts into a single emailThat groups similar alerts into a single email
AttackerAttacker– Windows tool from Foundstone to detect port Windows tool from Foundstone to detect port
scansscans
Preventing Port ScansPreventing Port Scans
You can't stop the scans from coming in, You can't stop the scans from coming in, but you can mimimize your attack surfacebut you can mimimize your attack surface
Disable unnecessary servicesDisable unnecessary services
Detecting the Operating System Detecting the Operating System
Banner-GrabbingBanner-Grabbing– Many services announce what they are in Many services announce what they are in
response to requestsresponse to requests– Banner grabbers just collect those bannersBanner grabbers just collect those banners– But they could be spoofedBut they could be spoofed
Active Stack Fingerprinting Active Stack Fingerprinting
Details of the TCP Packets are used to Details of the TCP Packets are used to identify the operating systemidentify the operating system
Nmap does this, using these probes:Nmap does this, using these probes:– FIN probe FIN probe – Bogus Flag probe Bogus Flag probe – Initial Sequence Number (ISN) sampling Initial Sequence Number (ISN) sampling – "Don't fragment bit" monitoring "Don't fragment bit" monitoring – TCP initial window size TCP initial window size
And many othersAnd many others
Operating System Detection Operating System Detection Countermeasures Countermeasures
IDS can detect operating system detection IDS can detect operating system detection scansscans
Hacking the OS to change its TCP stack is Hacking the OS to change its TCP stack is dangerous, and not recommendeddangerous, and not recommended
Best policy: Accept that your firewalls and Best policy: Accept that your firewalls and proxy servers will be scanned and proxy servers will be scanned and fingerprinted, and harden them against fingerprinted, and harden them against attackers who know the OSattackers who know the OS
Passive Operating System Passive Operating System Identification Identification
Sniff traffic and guess the OS from thatSniff traffic and guess the OS from that
Examine these featuresExamine these features– TTLTTL (time-to-live) (time-to-live)– Window sizeWindow size– DFDF (Don't fragment bit) (Don't fragment bit)
siphon was the first tool to do this, it's out siphon was the first tool to do this, it's out of dateof date
p0f is a newer one (link Ch 2z6)p0f is a newer one (link Ch 2z6)
p0f on Vistap0f on Vista
Run p0f in a Command Prompt WindowRun p0f in a Command Prompt Window
Open a Web pageOpen a Web page
It fingerprints any OS it can see on the It fingerprints any OS it can see on the LANLAN
Nmap Plus MetasploitNmap Plus Metasploit
Nmap scans can be imported into Nmap scans can be imported into Metasploit for further exploitationMetasploit for further exploitation
Details at end of chapter 2Details at end of chapter 2
Automated Discovery Tool: Automated Discovery Tool: Cheops-ngCheops-ng
Combines Ping, Combines Ping, Traceroute, Port Traceroute, Port Scans, and OS Scans, and OS Detection to draw Detection to draw a network mapa network map– Link Ch 2z7Link Ch 2z7
Windows 7's Windows 7's "Network Map" is "Network Map" is similarsimilar
Top Related