Beruflich Dokumente
Kultur Dokumente
slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz
What is Scanning?
How does it differ from footprinting?
Footprinting did not necessarily attempt to access the target system(s) directly
Determine if system is alive network ping sweep Determining which services are up Determining OS type/version Determining protocol stack versions
- Purpose
Find out which IP addresses have live hosts on them No point in detailed examination of empty address!
Needed for plug-and-play autoconfiguration and mobility Request is broadcast to all hosts on LAN Host with matching address is required to respond Attacker needs to be on same LAN Must be run as super-user Takes CIDR subnet address range as input Returns all responding hosts with IP and MAC addresses Includes OUI of MAC if known
Does much more than ARP scanning ARP scan through -PR <CIDR address> option Turn off port scan using -sn option Reports IP address, MAC address, OUI's name, and latency Windows tool Does much more than ARP scanning GUI-based tool Targets on distant network segments
- CAIN (oxid.it/cain.html)
- ICMP messages
nping ships with nmap Windows tool Free from Foundstone Fast ping sweep GUI with options for echo request, timestamp, address mask, and information request messages Also supports UDP and TCP port scans and more Can give HTML output
- superscan
- nping
- superscan
- Prevention
- Port scanning
Send packets to TCP and UDP ports to find listening servers Find live hosts Determine which services are open Help identify OS type, version Identify specific applications/versions of particular service
Scan Types - 1
- TCP connect scan
Completes 3-way handshake Takes longer Can be run as regular user Sends SYN, waits for SYN-ACK SYN-ACK = open, RST = not open (usually) Stealthier Can produce DOS attack on target Sends FIN Should receive RST (see RFC 793) Usually works on Unix-based stacks
Scan Types - 2
- TCP Xmas tree scan
Sends FIN, URG, and PUSH TCP packet Should receive RST on closed ports Sends TCP segment with no flags set Should receive RST on closed ports Sends packet with ACK set Helps determine firewall policies, capabilities
Scan Types - 3
- TCP RPC scan
Many Unix systems implement portmapper Used with RPC/RMI to find services Server registers service with portmapper (with pgm/version) Client contacts portmapper to request service, get port# Connectionless Send ICMP port unreachable message if not listening May be up if error message not received
- UDP scan
Identifying Services - 1
- TCP SYN port scan using nmap
Use -sS option Use -oN <file> to save human readable output Use -oG <file> to save tab-delimited version Use -oX <file> to save XML -oA saves in all formats Lists open ports with nominal services -f option to fragment packets
Take care to use real IP addresses to avoid SYN attack DOS -b option to use FTP bounce scanning
Uses older FTP servers to reflect packets
Identifying Services - 2
- SuperScan (Foundstone.com)
Windows/GUI-based alternative to nmap Port scans in addition to ICMP and ARP scans Select port or port range to scan, and protocol Select special techniques for TCP, UDP UDP data+ICMP method
Multiple UDP packets to a port May overwhelm ICMP response capability Very accurate, but slow
- ScanLine
- Netcat
(nc)
Older, command-line tool - Swiss army knife
Attacker (Foundstone.com)
- Prevention
Disable all unnecessary services System specific
Detecting the OS - 1
Active OS Detection Popularity=10; Simplicity=8; Impact=4; Risk Rating=7 - Banner grabbing (later) - Available ports signature
Some systems use particular ports for services Responses to probes is implementation dependent Multiple types of probes used to narrow field See insecure.org/nmap/nmap-fingerprinting-article.html
Detecting the OS - 2
Active Stack Fingerprinting Probes - FIN probe
Correct not to respond, but some send FIN/ACK - Bogus flag probe (in SYN packet) Correct to ignore, but some set flag in SYN-ACK - Initial Sequence Number (ISN) sampling Patterns may be found in ISNs for connections that depend on OS - DF bit monitoring Some OS's may set DF in IP header to improve performance - TCP initial window size Some systems have characteristic initial rwnd size Note that rwnd is indication of buffer space at receiver, set by OS - ACK value May use last SN (less common) or last SN+1 (usual)
Detecting the OS - 3
- ICMP error message quenching Systems may limit the number of ICMP error messages (RFC 1812) Send UDP packets to random port, determine rate of ICMP unreachable port messages -ICMP message quoting ICMP error messages include some initial portion of the offending datagram Amount of data included varies according to system - ICMP error message-echoing integrity Some systems change IP headers quoted in ICMP error messages - TOS on ICMP port unreachable message Usually TOS=0, but may vary - Fragmentation handling Observe how probe packets with overlapping fragments are reassembled
Detecting the OS - 4
Passive OS Detection Popularity=5; Simplicity=6; Impact=4; Risk Rating=5 - Less obtrusive than active OS fingerprinting - Monitor traffic to/from target
Requires favorable position TTL on outbound datagrams Initial window size (rwnd) DF (don't fragment) bit set? Siphon tool (packetstormsecurity.org)
- Passive signatures