Cpre 532

1
Cpre 532

• Lecture 4

2
Outline

• Scanning
• Tools for scanning

3
Homework

• Due in a week and a half
• Use subnet give
• Login to sarek

4
Scanning

• Footprinting has identified some targets
• Scanning will tell one if there are
  vulnerabilities
• Scanning can be detected
• Talk about countermeasures to these detection
  methods

5
Scanning cont

• Ping
• Dos prompt has access to ping
• All UNIX variants have ping
• Uses ICMP
• Used to report errors in IP layer
• Carried as payload in an IP packet
• Part of kernel code
• ICMP echo
• ICMP echo reply
• Both used to support ping

6
Ping

• Send echo request
• Echo reply is sent back
• Tells if a computer is alive and TCP/IP stack is
  in operation
• Ping sweeps
• Sweep through IP addresses to see what IPs are
  returning with echo reply
• Iowa State has a possible 65,000 possible
  addresses, would take long time to ping if one
  waited for a response to each ping
• Fping, UNIX, sends out multiple pings and doesnt
  wait for the answer to come back
• Windows has Pinger
• Administrators might block echo requests

7
TCP Ping

• Checks if a particular port is open
• Usually use port 80
• Firewalls typically allow port 80 to pass
• Other ports
• 25 mail
• 110 pop
• 143 Imap

8
ICMPenum

• Allows a user to pick ICMP packet to use
• ICMP time stamp
• Using obscure ICMP messages to tell if a computer
  lives at the IP address

9
Detection

• Need a device that watches all traffic to
  determine ping sweeps
• Intrusion detection can detect
• Snort is a free IDS
• Most common ones are like virus scanners, use
  signatures
• Can get past IDS by changing signature of scan
• Typical rule of IDS if (icmp icmp) or if
  walking through IPs linearly then problem
• Attacker changes scanner to randomly select IPs
  in subnet so that they are not scanned linearly
• Very simple example

10
Prevention

• Block ICMP
• Some ICMP messages are essential to network
• Usually allow (incoming only, never respond to)
• Echo reply
• Host unreachable
• Time exceeded
• Remove ICMP from kernel and put in user defined
  space, UNIX only

11
Scanning Phase 1 Completed

• Obtained a list of computer or devices or in that
  target subnet
• Phase 2 starts with identifying operating system
  or the specific services that are offered

12
Services Offered

• TCP/IP protocol suite
• 65k ports for TCP and 65k for UDP ports
• How does an attacker find out what ports a server
  opens for communication
• Try TCP connections to all ports
• Example Use telnet to try to open all ports and
  see if target responds
• TCP connection, 3 way handshaking
• Client sends Syn
• Server responds with Syn/Ack
• Client Acks
• This completed connection gets logged
• Attackers got more intelligent and devised the
  half open scan
• Attacker sends Syn
• Server responds with Syn/Ack
• Attacker sends Rst/Ack
• This is not a complete connection so it would not
  have been logged
• TCP Fin
• If a Fin comes to a close port, a Rst must be
  sent back
• Attackers use the TCP/IP standard to send a RST
  packet as a way of telling if a port is closed,
  if a port doesnt send this back then it must be
  open

13
Services Offered cont

• TCP Null scan
• No flags are set, closed ports would send back a
  RST
• TCP Ack scan
• Takes advantage of poorly configured firewalls
• Some firewalls filter the opening of connections
  by looking at the Syn and the Syn/Ack packets
• Assumption that is made
• the firewalls do not care about other packets
  because they stopped all bad connections
• Ack will go through because firewall thinks the
  connection has been allowed
• Statefull firewalls block this type of scan

14
UDP for Scanning

• UDP is stateless
• Send UDP packet to port
• Port responds with ICMP message with host
  unreachable
• Minimal use of UDP scans because most firewalls
  block this access, UDP not used by many
  applications

15
Tools

• Strobe
• TCP port scanner
• UDP scan
• Netcat or Nc
• Robust scanning tools, has many uses
• Nmap
• Insecure.org is the homepage
• List services that are available
• Makes guesses on operation system running on
  target computer by active stack fingerprinting
• Allows spoofing of packets
• Ident UNIX
• Determines the user of an connection, used as a
  reverse authentication product
• NetScan Tools Windows

16
Counter Measures

• Personal firewalls
• IDS
• Unix utilities
• Massive port scans are easy to detect
• Limit services offered on system
• Usually limits usefulness of computer

17
Determining OS

• Try Telnet and FTP and read the banners
• Active stack finger printing
• Fin probe, send fin to open port, this fin is an
  invalid packet, TCP/IP standard tells the OS
  manufacturers not to respond, some Operating
  Systems do
• Bogus flag in Syn packet, different OS respond
  differently
• Initial sequence numbers are picked differently
• Dont fragment bit
• Initial TCP/IP window size
• ICMP differences
• Header return
• Message return rate
• Not looking for flaws or vulnerabilities, looking
  for TCP/IP stack implementation differences and
  from these differences determine OS

18
Nmap

• Nmap sp IP address / Cidr for ping sweeps
• Cidr is way to specify IPs
• IP address is 4, 8 bit chunks
• Example 129.186.215.0
• Basically telling where the network and hosts are
  defined in the IP address

19
Next Time

• Wrap up scanning
• Enumeration

20
Questions