Upload
kolton-holroyd
View
238
Download
0
Tags:
Embed Size (px)
Citation preview
IP Network ScanningIP Network Scanning
2
OutlineOutline
What is IP network scanning?What is IP network scanning? Concepts, motivationConcepts, motivation
Example ToolExample Tool nmapnmap
Scanning typesScanning types Host discoveryHost discovery port scanning port scanning Version detectionVersion detection OS detectionOS detection
3
What is Scanning?What is Scanning?
Method to gather Method to gather information regarding the d information regarding the d evices running on the network evices running on the network
Typically to discover services or servers on a Typically to discover services or servers on a networknetwork
Which hosts are up?Which hosts are up? Which services are offering?Which services are offering?
Do not confuse with Do not confuse with ““host vulnerability host vulnerability scannerscanner”” which further explore a computer which further explore a computer by testing for common vulnerabilitiesby testing for common vulnerabilities (nessus, SAINT)
4
Why Scanning?Why Scanning? Network Security assessmentNetwork Security assessment
Evaluation and Auditing the securityEvaluation and Auditing the security Firewall Penetration Test (Policy auditing)Firewall Penetration Test (Policy auditing) IDS proof/evaluationIDS proof/evaluation Identifying unexpected new serversIdentifying unexpected new servers
Identifying open ports forIdentifying open ports for proactively protect the network proactively protect the network (N(N etwork and se etwork and se
curity admin curity admin)) attacking it (Hackers)attacking it (Hackers)
5
nmapnmap A well known and free security scanner A well known and free security scanner
written by Fyodor (written by Fyodor (http://insecure.org/nmap/))
First released Sept 1, 1997 in Phrack 51 “The Art of Port Scanning” (http://www.phrack.org/issues.html?issue=51(http://www.phrack.org/issues.html?issue=51
Many updates since then: OS Detection (http://www.phrack.org/issues.html?issue=54&id=9#article) Version scanning ARP Scanning
Version 5.00 as of this docVersion 5.00 as of this doc
Usage:Usage:
nmap [scan types] [options] <host or net nmap [scan types] [options] <host or net ……>>
6
Why nmap
An excellent toolAn excellent tool Long history of development and supportLong history of development and support Continuous development and Continuous development and
improvementsimprovements ““Industry Standard” port scannerIndustry Standard” port scanner
7
nmap featuresnmap features Host Discovery: Which host is alive?Host Discovery: Which host is alive?
Identifying computers on a network, for example listing the Identifying computers on a network, for example listing the computers which respond to pings (Ping Sweeps)computers which respond to pings (Ping Sweeps)
Port Scanning : What services are available?Port Scanning : What services are available? Enumerating the open Enumerating the open portsports on one or more on one or more target computerstarget computers
Service and Service and Version Detection Version Detection : Which version is : Which version is running?running? DD etermine the application name and version number etermine the application name and version number
OS Detection: What platforms are served?OS Detection: What platforms are served? Remotely determining the OS and some hardware Remotely determining the OS and some hardware
characteristics of network devicescharacteristics of network devices
8
Host DiscoveryHost Discovery
Querying multiple hosts using this method is Querying multiple hosts using this method is referred to as referred to as ping sweepsping sweeps
The most basic step in mapping out a network.The most basic step in mapping out a network.
Several Sweeps techniqueSeveral Sweeps technique ICMP SweepsICMP Sweeps Broadcast ICMPBroadcast ICMP NON Echo ICMPNON Echo ICMP TCP sweepTCP sweep UDP sweepUDP sweep
9
Host Discovery : ICMP SweepsHost Discovery : ICMP Sweeps TechniqueTechnique
sending an ICMP ECHO request (ICMP type 8)sending an ICMP ECHO request (ICMP type 8) If an ICMP ECHO reply (ICMP type 0) is received : target is alive; If an ICMP ECHO reply (ICMP type 0) is received : target is alive; No response: target is downNo response: target is down
Pros & ConsPros & Cons easy to implementeasy to implement fairly slow, easy to be blockedfairly slow, easy to be blocked
Scanner Target
ICMP ECHO request
ICMO ECHO reply
Scanner Target
a host is alive
a host is down/filtered
ICMP ECHO request
No response
10
Host Discovery : Broadcast Host Discovery : Broadcast ICMPICMP
Sending ICMP ECHO request to the Sending ICMP ECHO request to the network and/or broadcast addressesnetwork and/or broadcast addresses Windows ignored this Windows ignored this Most routers blocked thisMost routers blocked this
11
Host Discovery : Non-ECHO Host Discovery : Non-ECHO ICMPICMP
ICMP type 13 messages (TIMESTAMP), ICMP type 13 messages (TIMESTAMP), Query Current TimeQuery Current Time
ICMP type 17 messages (ADDRESS MASK ICMP type 17 messages (ADDRESS MASK REQUEST)REQUEST) diskless systems to obtain its subnet mask at diskless systems to obtain its subnet mask at
bootstrap time (RFC 792)bootstrap time (RFC 792)
12
Host Discovery : TCP SweepsHost Discovery : TCP Sweeps
Sending TCP ACK or TCK SYN packetsSending TCP ACK or TCK SYN packets The port number can be selected to avoid The port number can be selected to avoid
blocking by firewallblocking by firewall Usually a good pick would be 21 / 22 / 23 / 25 / Usually a good pick would be 21 / 22 / 23 / 25 /
8080
But.. firewalls can spoof a RESET packet for But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be an IP address, so TCP Sweeps may not be reliable.reliable.
13
Host Discovery : UDP SweepsHost Discovery : UDP Sweeps
Relies on the ICMP PORT UNREACHABLERelies on the ICMP PORT UNREACHABLE Assume the port is opened if no ICMP PORT Assume the port is opened if no ICMP PORT
UNREACHABLE message is received after sending a UNREACHABLE message is received after sending a UDP datagramUDP datagram
Cons:Cons: Routers can drop UDP packets as they cross the InternetRouters can drop UDP packets as they cross the Internet Many UDP services do not respond when correctly probedMany UDP services do not respond when correctly probed Firewalls are usually configured to drop UDP packets Firewalls are usually configured to drop UDP packets
(except for DNS)(except for DNS) UDP sweep relies on the fact that a non-active UDP port UDP sweep relies on the fact that a non-active UDP port
will respond with an ICMP PORT UNREACHABLE messagewill respond with an ICMP PORT UNREACHABLE message
14
nmap Host Discovery summarynmap Host Discovery summary sL: List Scan - simply list targets to scansL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is -sP: Ping Scan - go no further than determining if host is
onlineonline -PN: Treat all hosts as online -- skip host discovery-PN: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given
portsports -PE/PP/PM: ICMP echo, timestamp, and netmask request -PE/PP/PM: ICMP echo, timestamp, and netmask request
discovery probesdiscovery probes -PO [protocol list]: IP Protocol Ping-PO [protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: -n/-R: Never do DNS resolution/Always resolve [default:
sometimes]sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers--dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver--system-dns: Use OS's DNS resolver - sU: UDP Scan- sU: UDP Scan
15
Port ScanningPort Scanning
To determine what services are running or To determine what services are running or in a LISTENINGin a LISTENING
Some well known typesSome well known types TCP Connect ScanTCP Connect Scan TCP SYN scanTCP SYN scan Stealth scanStealth scan FTP bounce scanFTP bounce scan
16
Port Scanning : TCP Connect Port Scanning : TCP Connect ScanScan Use basic TCP connection establishment mechanism; complete 3-ways handshakeUse basic TCP connection establishment mechanism; complete 3-ways handshake Easily to detect by inspecting the system log Easily to detect by inspecting the system log
Scanner Target
SYN
SYN/ACK
ACK
Scanner Target
SYN
RST/ACK
a port is opened
a port is closed
17
Port Scanning : Port Scanning : TCP SYN scanTCP SYN scan Do not establish a complete connection (Half Open Do not establish a complete connection (Half Open
scanning)scanning) send a SYN packet and wait for a responsesend a SYN packet and wait for a response If an SYN/ACK is received=> the port is LISTENINGIf an SYN/ACK is received=> the port is LISTENING
immediately tear down the connection by sending a RESETimmediately tear down the connection by sending a RESET If an RST/ACK is received =>a non-LISTENING port. If an RST/ACK is received =>a non-LISTENING port.
Scanner Target
SYN
SYN/ACK
Scanner Target
SYN
RST/ACK
a port is closed
a port is opened
RST
18
Port Scanning : Stealth ScanPort Scanning : Stealth Scan TT o gather information about target sites while o gather information about target sites while
avoiding detection avoiding detection Try to hide themselves among normal network Try to hide themselves among normal network
traffictraffic Not to be logged by logging mechanism (stealth)Not to be logged by logging mechanism (stealth)
TechniquesTechniques Flag Probe packets (Also called Flag Probe packets (Also called ““Inverse mappingInverse mapping””))
Response is sent back only by closed portResponse is sent back only by closed port By determining what By determining what services services do notdo not exist, an intruder ca exist, an intruder ca
n infer what n infer what serviceservice dodo exist exist Slow scansSlow scans rate rate
difficult to detect difficult to detect =>need=>need long long history history loglogCERT reported this technique in CERT® Incident Note IN-98.04http://www.cert.org/incident_notes/IN-98.04.html
19
Port Scanning : Port Scanning : Stealth MappingStealth Mapping RFC793: to handle wrong state packetsRFC793: to handle wrong state packets
closed ports : reply with a RESET packet to wrong state packetsclosed ports : reply with a RESET packet to wrong state packets opened ports : ignore any packet in questionopened ports : ignore any packet in question
TechniqueTechnique A RST scanA RST scan A FIN probe with the FIN TCP flag setA FIN probe with the FIN TCP flag set An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags setAn XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set A NULL probe with no TCP flags setA NULL probe with no TCP flags set
Scanner Target
Probe packet
No response
Scanner Target
RST/ACK
a port is closed
a port is opened
Probe packet
20
Port Scanning : FTP Port Scanning : FTP Bounce scanningBounce scanning Connects to an FTP server, and establishes a control communication connection, ask the FTP Connects to an FTP server, and establishes a control communication connection, ask the FTP
server to initiate an active server data transfer processserver to initiate an active server data transfer process Rather slowRather slow Some FTP servers disable the Some FTP servers disable the ““ProxyProxy”” feature, but there are still many who do not feature, but there are still many who do not
PORT 10,0,0,5,0,22PORT 10,0,0,5,0,22
(10.0.0.(10.0.0.4)4) (10.0.0.(10.0.0.5)5)
TCP SYNTCP SYN
RSTRST
425 425 Cannot build data connectionCannot build data connection
Scanner FTP Target
21
Port Scanning with nmap Port Scanning with nmap
SCAN TECHNIQUES:SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sN/sF/sX: TCP Null, FIN, and Xmas scans-sN/sF/sX: TCP Null, FIN, and Xmas scans -b <FTP relay host>: FTP bounce scan-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast mode - Scan fewer ports than the default scan-F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize-r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports--top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio>--port-ratio <ratio>: Scan ports more common than <ratio>
22
Services and Versions DetectionServices and Versions Detection
The The nmapnmap--serviceservice--probesprobes database contains database contains probes for querying various services and m probes for querying various services and m
atch expressions to recognize and parse res atch expressions to recognize and parse responsesponses
23
Operating System DetectionOperating System Detection
Banner, DNS HINFO and Banner, DNS HINFO and …… TCP/IP fingerprinting (IP stack TCP/IP fingerprinting (IP stack
implementation will response implementation will response differently)differently) FIN probe, Bogus Flag probeFIN probe, Bogus Flag probe TCP initial sequence number sampling, TCP initial TCP initial sequence number sampling, TCP initial
window, ACK valuewindow, ACK value ICMP error quenching, message quoting, ICMP ICMP error quenching, message quoting, ICMP
echo integrityecho integrity IP: DF, TOS, FragmentationIP: DF, TOS, Fragmentation
24
OS Detection : ExamplesOS Detection : Examples
ACK : sending FIN|PSH|URG to a closed portACK : sending FIN|PSH|URG to a closed port most OS : ACK with the same sequence numbermost OS : ACK with the same sequence number Windows: ACK with sequence number+1Windows: ACK with sequence number+1
Type of Service: Type of Service: Probing with an Probing with an ICMP_PORT_UNREACHABLEICMP_PORT_UNREACHABLE messagemessage most OS : TOS = 0most OS : TOS = 0 Linux : TOS= 0xC0Linux : TOS= 0xC0
25
Version and OS Detection with Version and OS Detection with nmapnmap
SERVICE/VERSION DETECTION:SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info-sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all --version-intensity <level>: Set from 0 (light) to 9 (try all
probes)probes) --version-light: Limit to most likely probes (intensity 2)--version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9)--version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for --version-trace: Show detailed version scan activity (for
debugging)debugging) OS DETECTION: OS DETECTION:
--OO:: Enable OS detection Enable OS detection -- - osscan limit: Limit OS detection to promising tar -- - osscan limit: Limit OS detection to promising targetsgets ----osscanosscan--guessguess:: Guess OS more aggressively Guess OS more aggressively
26
Port Scanning DetectionPort Scanning Detection
For Administrators to detect scanningFor Administrators to detect scanning Logs suspicious packetsLogs suspicious packets Identifies connections not properly Identifies connections not properly
terminatedterminated Records ports usageRecords ports usage
27
Port Scanning DetectionPort Scanning Detection
For hacker to dodge from detectionFor hacker to dodge from detection Randomize the sequence of ports to prevent Randomize the sequence of ports to prevent
detectiondetection Slow scan: exceed the site detection threshold in Slow scan: exceed the site detection threshold in
IDS, 2 packets/day/site!IDS, 2 packets/day/site! Decoy: spoofed address in attackDecoy: spoofed address in attack Coordinated Scans: multiple scanners probe the Coordinated Scans: multiple scanners probe the
same host or networksame host or network