Hacking Information Security - ief.uni-rostock.de · Hacking - Network Security Introduction 0. introduction BaSoTi 2016 - Tallinn 1 Hacking Information Security ... Does not work

Thomas Kemmerich

Hacking - Network Security Introduction0. introduction

BaSoTi 2016 - Tallinn 1

Hacking

Information Security

A practical course in Ethical Hacking

1

Thomas Kemmerich



I. Exercise:• You shall conduct a penetration test for a dedicated

WLAN setup for this BaSoTi course

• It is a blackbox test

• Describe all tasks and steps you are doing any test!

• Develop a form for the report

• What else do you need for the preparation

—> Make a short presentation of your plan

before

groups of 5 student

202-Scanning - 25 July 2016

Thomas Kemmerich



II. Exercise:

• Install Kali Linux in a virtual machine (virtual box or VM), if not done yet (one installation per group)

• Start aircrack to monitor the airuse e.g. kismet to find out the SSID of the target network

• Find out the WPA pass phrase to connect to the WLAN

confirm with me that you connect to the right network!

3

Thomas Kemmerich



III. Exercise:

• Scan the network with zenmap and describe what you found

confirm with me that you connect to the right network!


Thomas Kemmerich



Ethical Hacking*

Scanning

5

Thomas Kemmerich



Ethical Hacking*

Scanning:

‘This slides are produced according to the lecture ‘Ethical Hacking!’ from Lasse Øverlier, Høgskolen i Gjøvik

• Scanning:- war dialling- war driving

• Network scanning:- sweeping, tracing, ports, OS, versions —> vulnerabilities

• ZenMap gives us an overview of the entire network we are connected.

• amap or Nessus


Thomas Kemmerich



War Dialling:• Looking for modems to dial into

more and more obsolete • May still find closed networks

• War dialers (ref. “War Games”)THC-Scan (THC: The Hackers Choice)

• DefencesModems needed? Modem policy? Dial-out only!

7

Thomas Kemmerich



War Driving:• Looking for wireless access points

Many examples especially in business areas to find a lot of open APs(war: walking, biking, flying, …)

• Accessible to max. 300m

• Collecting the ESSIDs (32 chars) “name of the WLAN”SSIDs = ESSIDS + BSSIDs (MAC address)

• Methods:- active scanning- passive scanning- forcing deauthentification


Thomas Kemmerich



Active scanning:• Sending probe packets with ESSID=“Any”

• NetStumpler: tool for collecting automatically information:- 802.11 a, b, g - GPS support for direct plotting of ESSIDs on maps

• Including security information- open, or encrypted- WEP - WPA - WPA2 - …

9

Thomas Kemmerich



Passive scanning:• Sniffing the traffic

• ESSID is included in clear text

• No-one knows that the attacker is listening - no unwanted activity

• KISMET

• aircrack-ng


Thomas Kemmerich



Passive scanning:

the wireless Europe on 29.08.2014

11

Thomas Kemmerich



Ware driving defence:• Setting ESSID to a neutral name:

“abrakadabra” vs “Special-Bank-of-the-Rich”

• Use WPA2 with AES encryption- avoid WEP or WPA with TKIP

• Use VPNs- IPSec

• Use Intrusion Detection/Prevention Systems (IDS / IPS)

• Physical Protection- reduce transmitter power - avoid perimeter networks


Thomas Kemmerich



Network Scanning:• Sweeping

• Tracing

• Port scanning

• Identifying OS and applications

• Identifying SW and HW versions

• Identifying vulnerabilities

13

Thomas Kemmerich



Network Sweeping:Identify which hosts are alive within an IP range “ping sweeps”

# for x in 1..255; do ping -c 1 -q -a 10.1.1.$x; done• Tools: (choice)

- nmap, zenmap- Angry IP Scanner- ICMPQuery- ping, hping - netdiscovery- unicornscan

nmap -sP 10.22.0.0/24


Thomas Kemmerich



Scanning:

zenmap screen shoot

15

Thomas Kemmerich



Size of ScanSize of networks/24 → scanning 256 hosts/16 → scanning 65.536 hosts/8 → scanning 16.777.216 hosts

IF Timeout == 5s and serial scanning:/24 → 21 min /16 → 91 hours /8 → 970 days...


Thomas Kemmerich



TracingLocating network structure / topology

Additional information identifiedRouters Subnets GatewaysTools

- traceroute - cheops-ng - zenmap

17

Thomas Kemmerich



Traceroute


Thomas Kemmerich



Traceroute, Layer Four Traceroute (LFT)Much more flexible than traceroute/tracert.exe

Enables traceroute using:

- ICMP echo request - TCP- UDP- AS number lookup - IP options- setting source port

19

Thomas Kemmerich



Port ScanningYou identified live hosts:

• Need to identify open ports (UDP and TCP)

• Scan size important again...

- 65536 ports for TCP and - 65536 ports for UDP

scanning all ports on all computers1s/port – optimistic guess → 36h for one IP address ...and if you have a large network of 100+ computers...


Thomas Kemmerich



Port Scanning• Only probe ports that are most commonly used

20(FTP data), 21(FTP), 22(SSH), 23(Telnet), 25(SMTP), 53(DNS), 67(BOOTPs), 68(BOOTPc), 80(HTTP), 110(POP3), 135(NetBIOS), 137(NetBIOS), 139(NetBIOS), 143(IMAP), 443(HTTPS), 445(SMB/TCP), 465(sSMTP), 585(sIMAP), 587(SMTP submission) ,993(IMAPS), 995(sPOP3),...

• Many scanners / parallel probing • Speed up send-rate

21

Thomas Kemmerich



Port ScanningSome TCP port scanning types:

- Connect- SYN - FIN - Xmas tree - Null - TCP ACK

only a selection


Thomas Kemmerich



Port Scanning

TCP Header:

23

Thomas Kemmerich



Port ScanningConnect Scan:

Sets up a complete TCP connection for each port (that answers)

If port is not open→ no response, TCP RESET or ICMP port unreachable is returned

“The polite scan”

Easy to detect, connections are normally logged (with IP addresses)


Thomas Kemmerich



Port ScanningSYN Scan:

“Half-open” scan Closed port? no response |TCP RESET | ICMP port unreachable Open port : SYN|ACK receivedNo logs recorded at server (normally)Faster, no complete connection setupCould create a Denial-of-Service (DoS) attackSYN floods create many half-open connections

25

Thomas Kemmerich



Port ScanningFIN Scan:

Tears down connectionsClosed port: TCP RESETOpen port: no responseNo logs recorded at server (normally) FastFirewalls may block incoming FIN | response


Thomas Kemmerich



Port ScanningXMAS tree Scan:

“Lit' up like a Christmas tree”Closed port: TCP RESETOpen port: no responseMay traverse firewalls looking for special flags Firewalls may block incoming Xmas | response Invalid use of flags... Not defined response

27

Thomas Kemmerich



Port ScanningNULL Scan:

No flags set in probeClosed port: TCP RESETOpen port: no responseFirewalls may block incoming response use of no flags... Not defined response Does not work on Windows computers


Thomas Kemmerich



Port ScanningAck Scan:

Probes ports at filtering deviceClosed: no response | ICMP port unreachable Packet filter device Open: TCP RESET from server behind PFD if ACK reaches server (= open port in PFD) Measures filtering capability in PFD (not open/closed ports)

29

Thomas Kemmerich



IV. Exercise:

• Use nmap to scan the server (x.x.x.x)

• describe open ports and services

• Do you can identify vulnerabilitiesif yes please describe in the reportif yes —> short presentation

05.08.2016


Thomas Kemmerich



V. Exercise:

• You get access to the server

• try to find out as many as you can about the server (30min)

• give a short presentation

05.08.2016

31

Thomas Kemmerich



VI. Exercise:

• capture traffic with wireshark and evaluate the traffic

05.08.2016


Thomas Kemmerich



Discussion about the procedures and the results:

05.08.2016

33

Thomas Kemmerich


BaSoTi 2016 - Tallinn

Questions?

Feedback!

34


Documents

Hacking Information Security - ief.uni-rostock.de · Hacking - Network Security Introduction 0. introduction BaSoTi 2016 - Tallinn 1 Hacking Information Security ... Does not work