Cpre 532 - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Cpre 532

Description:

Nmap. Insecure.org is the homepage. List services that are available ... Nmap. Nmap sp IP address / Cidr for ping sweeps. Cidr is way to specify IPs ... – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 21
Provided by: jamestruc
Category:
Tags: cpre | nmap

less

Transcript and Presenter's Notes

Title: Cpre 532


1
Cpre 532
  • Lecture 4

2
Outline
  • Scanning
  • Tools for scanning

3
Homework
  • Due in a week and a half
  • Use subnet give
  • Login to sarek

4
Scanning
  • Footprinting has identified some targets
  • Scanning will tell one if there are
    vulnerabilities
  • Scanning can be detected
  • Talk about countermeasures to these detection
    methods

5
Scanning cont
  • Ping
  • Dos prompt has access to ping
  • All UNIX variants have ping
  • Uses ICMP
  • Used to report errors in IP layer
  • Carried as payload in an IP packet
  • Part of kernel code
  • ICMP echo
  • ICMP echo reply
  • Both used to support ping

6
Ping
  • Send echo request
  • Echo reply is sent back
  • Tells if a computer is alive and TCP/IP stack is
    in operation
  • Ping sweeps
  • Sweep through IP addresses to see what IPs are
    returning with echo reply
  • Iowa State has a possible 65,000 possible
    addresses, would take long time to ping if one
    waited for a response to each ping
  • Fping, UNIX, sends out multiple pings and doesnt
    wait for the answer to come back
  • Windows has Pinger
  • Administrators might block echo requests

7
TCP Ping
  • Checks if a particular port is open
  • Usually use port 80
  • Firewalls typically allow port 80 to pass
  • Other ports
  • 25 mail
  • 110 pop
  • 143 Imap

8
ICMPenum
  • Allows a user to pick ICMP packet to use
  • ICMP time stamp
  • Using obscure ICMP messages to tell if a computer
    lives at the IP address

9
Detection
  • Need a device that watches all traffic to
    determine ping sweeps
  • Intrusion detection can detect
  • Snort is a free IDS
  • Most common ones are like virus scanners, use
    signatures
  • Can get past IDS by changing signature of scan
  • Typical rule of IDS if (icmp icmp) or if
    walking through IPs linearly then problem
  • Attacker changes scanner to randomly select IPs
    in subnet so that they are not scanned linearly
  • Very simple example

10
Prevention
  • Block ICMP
  • Some ICMP messages are essential to network
  • Usually allow (incoming only, never respond to)
  • Echo reply
  • Host unreachable
  • Time exceeded
  • Remove ICMP from kernel and put in user defined
    space, UNIX only

11
Scanning Phase 1 Completed
  • Obtained a list of computer or devices or in that
    target subnet
  • Phase 2 starts with identifying operating system
    or the specific services that are offered

12
Services Offered
  • TCP/IP protocol suite
  • 65k ports for TCP and 65k for UDP ports
  • How does an attacker find out what ports a server
    opens for communication
  • Try TCP connections to all ports
  • Example Use telnet to try to open all ports and
    see if target responds
  • TCP connection, 3 way handshaking
  • Client sends Syn
  • Server responds with Syn/Ack
  • Client Acks
  • This completed connection gets logged
  • Attackers got more intelligent and devised the
    half open scan
  • Attacker sends Syn
  • Server responds with Syn/Ack
  • Attacker sends Rst/Ack
  • This is not a complete connection so it would not
    have been logged
  • TCP Fin
  • If a Fin comes to a close port, a Rst must be
    sent back
  • Attackers use the TCP/IP standard to send a RST
    packet as a way of telling if a port is closed,
    if a port doesnt send this back then it must be
    open

13
Services Offered cont
  • TCP Null scan
  • No flags are set, closed ports would send back a
    RST
  • TCP Ack scan
  • Takes advantage of poorly configured firewalls
  • Some firewalls filter the opening of connections
    by looking at the Syn and the Syn/Ack packets
  • Assumption that is made
  • the firewalls do not care about other packets
    because they stopped all bad connections
  • Ack will go through because firewall thinks the
    connection has been allowed
  • Statefull firewalls block this type of scan

14
UDP for Scanning
  • UDP is stateless
  • Send UDP packet to port
  • Port responds with ICMP message with host
    unreachable
  • Minimal use of UDP scans because most firewalls
    block this access, UDP not used by many
    applications

15
Tools
  • Strobe
  • TCP port scanner
  • UDP scan
  • Netcat or Nc
  • Robust scanning tools, has many uses
  • Nmap
  • Insecure.org is the homepage
  • List services that are available
  • Makes guesses on operation system running on
    target computer by active stack fingerprinting
  • Allows spoofing of packets
  • Ident UNIX
  • Determines the user of an connection, used as a
    reverse authentication product
  • NetScan Tools Windows

16
Counter Measures
  • Personal firewalls
  • IDS
  • Unix utilities
  • Massive port scans are easy to detect
  • Limit services offered on system
  • Usually limits usefulness of computer

17
Determining OS
  • Try Telnet and FTP and read the banners
  • Active stack finger printing
  • Fin probe, send fin to open port, this fin is an
    invalid packet, TCP/IP standard tells the OS
    manufacturers not to respond, some Operating
    Systems do
  • Bogus flag in Syn packet, different OS respond
    differently
  • Initial sequence numbers are picked differently
  • Dont fragment bit
  • Initial TCP/IP window size
  • ICMP differences
  • Header return
  • Message return rate
  • Not looking for flaws or vulnerabilities, looking
    for TCP/IP stack implementation differences and
    from these differences determine OS

18
Nmap
  • Nmap sp IP address / Cidr for ping sweeps
  • Cidr is way to specify IPs
  • IP address is 4, 8 bit chunks
  • Example 129.186.215.0
  • Basically telling where the network and hosts are
    defined in the IP address

19
Next Time
  • Wrap up scanning
  • Enumeration

20
Questions
Write a Comment
User Comments (0)
About PowerShow.com