Advanced Unix

1
Advanced Unix
2
Roses are FF0000 Violets are 0000FF All My
Base Are Belong To You
3
Bastille Linux

• http//www.bastille-linux.org
• Well best laid plans oft go awry
• Bastille Linux does not work on FC6
• It will work on FC5, 4, 3, etc
• Prerequisites for Bastille are
• TK - an open source, cross-platform widget
  toolkit, that is, a library of basic elements for
  building a graphical user interface (GUI).
• Curses - a terminal control library for Unix-like
  systems, enabling the construction of text user
  interface (TUI) applications

4
Bastille Linux

• If TK or Curses are not installed use the
  following commands to install
• yum install tk
• yum install perl-Curses
• To run Bastille use the following commands
• GUI Mode bastille x
• TUI Mode bastille -c

5
Bastille Linux

• If you are running FC6 youll have to wait a
  little while before they support it
• In the mean while a quick demo

6
Post Scanners

• Port scanners are a useful tools
• Port scanners are software designed to search a
  network host or hosts for open ports.
• This is often used by administrators to check the
  security of their system/networks and by crackers
  to detect attack points

7
Port Scanners

• There are numerous port scanners available today.
  Freeware, Shareware and Commercial of the Shelf
  (COTS)
• Many Network/Security Administrators use port
  scanners to detect unauthorized services running
  on their network

8
Port Scanners

• Nmap ("Network Mapper") is an open source
  utility for network exploration or security
  auditing. It was designed to rapidly scan large
  networks.
• Foundstone Vision Reports all open TCP and UDP
  ports and maps them to the owning process or
  application.

9
Port Scanners

• Foundstone Fport Identify unknown open ports and
  their associated applications
• Foundstone Scanline Formerly FScan. Command line
  port scanner
• Foundstone SuperScan Powerful TCP port scanner,
  pinger, resolver
• and many, many more

10
nmap

• Version 3.70 (should be installed on your class
  hard drive)
• Written by Fyodor fyodor_at_dhp.com
• http//www.insecure.org/nmap/
• To install on your FC6 system
• yum install nmap
• Go ahead an do this now if you havent already

11
Types of Scans

• TCP Scan simple scan to detect open ports (aka
  listeners)
• ACK scan - can find packets allowed through a
  stateless packet filter.
• FIN scan - can determine if ports are
  open/closed, even if SYN packets are filtered.
• Protocol scan - determines what IP level
  protocols (TCP, UDP, GRE, etc.) are enabled.
• Proxy scan - a proxy (SOCKS or HTTP) is used to
  perform the scan. The target will see the proxy's
  IP address as the source. This can also be done
  using some FTP servers.
• Idle Scan - Another method of scanning without
  revealing your IP address, taking advantage of
  the predictable ipid flaw.
• ICMP scan - determines if a host responds to ICMP
  requests, such as echo (ping), netmask, etc.

12
Types of Scans

• TCP connect
• TYP SYN (a.k.a. half-open)
• TCP FIN (a.k.a. stealth)
• TCP SYN/FIN using IP fragments
• TCP ftp proxy (a.k.a. bounce attack)
• UCP raw ICMP port unreachable
• RPC scan
• ACK/WIN scan
• Ping scan

13
TCP connect

• Goal find open TCP ports option sT
• Open a connection to port p on the target
• If it succeeds, something is listening on that
  port
• Repeat for desired values of p
• Advantages
• fast can do many ports in parallel
• no special privileges needed
• Disadvantages
• easy to detect and block (filter)

14
Example

• nmap -sT zonker
• Starting nmap 3.81 ( http//www.insecure.org/nmap/
  ) at 2005-06-22 1501 PDT
• Interesting ports on zonker.wal (10.1.2.3)
• (The 1653 ports scanned but not shown below are
  in state closed)
• Port State Service
• 21/tcp open ftp
• 22/tcp open ssh
• 23/tcp open telnet
• 25/tcp open smtp
• 111/tcp open rpcbind
• 513/tcp open login
• 514/tcp open shell
• 759/tcp open con
• 873/tcp open rsync
• 6000/tcp open X11
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 1.733 seconds

15
TYP SYN (a.k.a. half-open)

• Goal find open TCP ports option sS
• Craft and send a SYN to port p on target
• ACK someone listening RST no-one listening
• Send RST to tear down (incipient) connection
• Repeat for desired values of p
• Advantages
• many sites dont log this
• Disadvantages
• need root to craft the initial SYN

16
Example

• nmap -sS zonker
• Starting nmap 3.81 ( http//www.insecure.org/nmap/
  ) at 2005-06-22 1458 PDT
• Interesting ports on zonker.wal (10.1.2.3)
• (The 1653 ports scanned but not shown below are
  in state closed)
• Port State Service
• 21/tcp open ftp
• 22/tcp open ssh
• 23/tcp open telnet
• 25/tcp open smtp
• 111/tcp open rpcbind
• 513/tcp open login
• 514/tcp open shell
• 759/tcp open con
• 873/tcp open rsync
• 6000/tcp open X11
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 2.100 seconds

17
TCP FIN (a.k.a. stealth)

• Goal find open TCP ports option sF
• Send FIN to port p on target
• If RST, port closed if nothing, port open
• Repeat for desired values of p
• Advantages
• even fewer log this
• Disadvantages
• some systems always send RSTs (e.g., IRIX,
  Windows)

18
Example

• nmap -sF zonker
• Starting nmap 3.81 ( http//www.insecure.org/nmap/
  ) at 2005-06-22 1504 PDT
• Interesting ports on zonker.wal (10.1.2.3)
• (The 1653 ports scanned but not shown below are
  in state closed)
• Port State Service
• 21/tcp openfiltered ftp
• 22/tcp openfiltered ssh
• 23/tcp openfiltered telnet
• 25/tcp openfiltered smtp
• 111/tcp openfiltered rpcbind
• 513/tcp openfiltered login
• 514/tcp openfiltered shell
• 759/tcp openfiltered con
• 873/tcp openfiltered rsync
• 6000/tcp openfiltered X11
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 4.228 seconds

19
Variants

• Option sX
• Christmas tree packet (FIN, URG, PUSH flags)
• Option -sN
• Null packet (all flags turned off)
• Same expected result as for sF

20
TCP SYN/FIN Using IP Fragments

• Goal find open TCP ports option f (modifies
  SF, sX, sN, sS)
• Split the header up over several packets
• Advantages
• makes it harder for packet filters to detect
  probe
• Disadvantages
• can cause monitoring tools to crash
• high overhead on networks

21
TCP FTP Proxy (a.k.a. Bounce Attack)

• Goal find open TCP ports option
• b userpassword_at_serverhostport
• Connect to serverhost using user with password
• Set up proxy to port p on target (use PORT)
• Send over an ls of current directory
• if no-ones there, ftp server returns 425 message
• if someone listening, ftp server returns 150
  message
• Repeat for desired values of p
• This hides who is doing the probing

22
Example

• nmap -b anonymousbishop-at-nob.cs.ucdavis.edu_at_f
  tp.wal zonker.wal
• Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
• Hint if your bounce scan target hosts aren't
  reachable from here, remember to use -P0 so we
  don't try and ping them prior to the scan
• Interesting ports on zonker.wal (10.1.2.3)
• (The 1591 ports scanned but not shown below are
  in state closed)
• Port State Service
• 20/tcp open ftp-data
• 21/tcp open ftp
• 22/tcp open ssh
• 24/tcp open priv-mail
• 25/tcp open smtp
• 80/tcp open http
• 111/tcp open sunrpc
• 515/tcp open printer
• 1023/tcp open unknown
• 6000/tcp open X11
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 37 seconds

if ICMP echos are blocked, give P0 to prevent
check for being up
23
UDP Raw ICMP Port Unreachable

• Goal find UDP ports with listeners option sU
• Send 0 byte UDP packet to port p on target
• Wait for ICMP port unreachable message
• if you get it, no-ones listening
• if you dont, someone is
• Repeat for desired values of p
• Disadvantage
• usually slow due to ICMP error rate limits

24
Example

• nmap -sU zonker.wal
• Starting nmap 3.81 ( http//www.insecure.org/nmap/
  ) at 2005-06-22 1557 PDT
• Interesting ports on zonker.wal (10.1.2.3)
• (The 1467 ports scanned but not shown below are
  in state closed)
• Port State Service
• 68/udp openfiltered dhcpclient
• 111/udp openfiltered rpcbind
  
• 123/udp openfiltered ntp
  
• 513/udp openfiltered who
  
• 631/udp openfiltered unknown
  
• 800/udp openfiltered mdbs_daemon
  
• 866/udp openfiltered unknown
  
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 1492.935 seconds

25
RPC Scan

• Goal find ports with RPC services option sR
  (use with sT, sU)
• If port p on target is open, send RPC NULL
• command
• goal is to determine if p is an RPC port if so,
  what program, version number is served there

26
Example

• nmap -sT -sR zonker.wal
• Starting nmap 3.81 ( http//www.insecure.org/nmap/
  ) at 2005-06-22 1657 PDT
• Interesting ports on zonker.wal (10.1.2.3)
• (The 1654 ports scanned but not shown below are
  in state closed)
• Port State Service (RPC)
• 21/tcp open ftp
• 22/tcp open ssh
• 24/tcp open priv-mail
• 25/tcp open smtp
• 80/tcp open http
• 111/tcp open sunrpc (rpcbind V2)
• 515/tcp open printer
• 1023/tcp open (nfs V2)
• 6000/tcp open X11
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 1.962 seconds

27
ACK/WIN scan

• Goal see if intervening firewall is packet
  filter or stateful option sA
• Send ACK to port p on target
• Response RST unfiltered, can get through it
• Response ICMP unreachable, nothing filtered,
• probably dropped

28
Ping Scan

• Goal see which hosts are up option sP
• Send ICMP echo to all IP addresses on network
• Send ACK packet to port 80
• RST back means its up
• Send SYN packet, wait for RST or SYN/ACK
• Default is first two in parallel

29
Example

• nmap -sP 10.1.2.1-127
• Starting nmap 3.81 ( http//www.insecure.org/nmap/
  ) at 2005-06-22 1657 PDT
• Host joanie.wal (10.1.2.1) appears to be up.
• Host mike.wal (10.1.2.125) appears to be up.
• Nmap run completed -- 127 IP addresses (48 hosts
  up) scanned in 4 seconds

30
Targets

• hostname
• IP address
• is wildcard
• /mask
• Example a class C network is
• 10.1.2.
• 10.1.2.0-255
• 10.1.2.0/24

31
Other Interesting Options

• O guess the OS type
• Indicates how hard guessing was
• g p source port is p
• Sometimes setting this to 53 (DNS) gets you
  through when others wont
• r do not randomize order of ports scanned
• p p limit scans to ports in given range
• Example p 1-10,30-60,345,60000

32
A Couple of More

• L f targets come from file f
• I get login name of user running server
• remote system must honor ident protocol
• if they send back a crypto hash, you know nothing
  more
• very useful to see if the web server is running
  as root

33
Timing Options

• Option Ttiming controls scan
• paranoid serialize scans, 5 min between packets
• sneaky paranoid but 15 sec between packets
• polite serialize, wait 0.4 sec between packets
• normal default behavior (adaptive)
• aggressive 5 min timeout per host, wait lt1.25 sec
  for probe responses
• insane aggressive with 75 sec timeouts and lt0.3
  sec waits