An Introduction to: Network Assessments - PowerPoint PPT Presentation
1 / 42
Title:
An Introduction to: Network Assessments
Description:
Tanya Baccam, GCFW, GCIH, CISSP, CISA, CCNA, CCSE, CCSA, MCSE, ... sX: Xmas tree scan -sN: Null scan -sP: ping scan -sU: UDP scan -sA: ACK scan -sR: RPC scan ... – PowerPoint PPT presentation
Number of Views:162
Avg rating:3.0/5.0
Title: An Introduction to: Network Assessments
1
An Introduction to Network Assessments
- Prepared and Presented By
- Tanya Baccam, GCFW, GCIH, CISSP, CISA, CCNA,
CCSE, CCSA, MCSE, Oracle DBA - Vigilar, Inc.
2
Why perform Assessments?
- Prevention is the best medicine!
- Part of a Defense in Depth strategy
- Identify potential intrusion
- Identify extent of a compromise
3
Strategy
- Identify Devices
- Understand Vulnerabilities and Risks
- Assess and Secure the Perimeter
- Assess and Secure the DMZ
- Assess and Secure the Internal Environment
4
Sources of Information
- Interviews
- ISP
- Administrators
- DNS Servers
- Network Diagrams
- Whois Queries
5
Cheops
- http//cheops-ng.sourceforge.net/download.php
6
Tkined
7
Tkined
8
Superscan
- Ping hosts
- Port Scan hosts
9
Fingerprinting Devices
- Active
- Queries the machine for information
- Passive
- Sniffs passing traffic for information
10
Active Fingerprinting
- Send a packet and look at the response.
- Change the flags for the packet
- ISN numbers
- Initial windows size
- Handling of ICMP messages
- TOS field
- TCP options
- How fragmentation is handled
- Paper
- www.insecure.org/nmap/nmap-fingerprinting-article.
html
11
Passive Fingerprinting
- Passively watch for information during
communication - TTL
- Window Size
- Dont fragment bit
- TOS
12
P0f - Example Database Entries
- http//www.stearns.org/p0f/
sackOK flag
Window scaling
DF flag
Maximum Segment Size
nop flag
Time to Live
Packet Size
Operating System
Window Size
13
Critical Devices
- Make sure you know where the critical devices are
14
Strategy
- Identify Devices
- Understand Vulnerabilities and Risks
- Assess and Secure the Perimeter
- Assess and Secure the DMZ
- Assess and Secure the Internal Environment
15
Research is essential!
- www.google.com
- Vendor web sites
- www.securityfocus.com/bid/
16
Think like an attacker
17
Prioritize
- Based on your research, what vulnerabilities are
the highest risk to your environment?
18
Strategy
- Identify Devices
- Understand Vulnerabilities and Risks
- Assess and Secure the Perimeter
- Assess and Secure the DMZ
- Assess and Secure the Internal Environment
19
Scanning
- ICMP
- SYN
- TCP Stealth
- Fragment
- UDP
20
Nmap
- Sample Options
- -sS SYN scan
- -sT TCP connect scan
- -sF FIN scan
- -sX Xmas tree scan
- -sN Null scan
- -sP ping scan
- -sU UDP scan
- -sA ACK scan
- -sR RPC scan
21
Nmap fragment scan
- nmap f tiny-fragment scan
- 170259.418110 10.10.10.10 gt 10.10.10.102
icmp echo request170259.418110
10.10.10.10.45994 gt 10.10.10.102.http . ack
269371834 win 4096170259.418110 10.10.10.102 gt
10.10.10.10 icmp echo reply170259.418110
10.10.10.102.http gt 10.10.10.10.45994 R
269371834269371834(0) win 0170259.718110
10.10.10.10.45974 gt 10.10.10.102.2307 tcp
(frag 4978316_at_0)170259.718110 10.10.10.10 gt
10.10.10.102 (frag 497834_at_16)170259.718110
10.10.10.10.45974 gt 10.10.10.102.6003 tcp
(frag 5118716_at_0)170259.718110 10.10.10.10 gt
10.10.10.102 (frag 511874_at_16)170259.718110
10.10.10.10.45974 gt 10.10.10.102.275 tcp
(frag 959316_at_0)170259.718110 10.10.10.10 gt
10.10.10.102 (frag 95934_at_16)170259.718110
10.10.10.10.45974 gt 10.10.10.102.678 tcp
(frag 2513016_at_0)170259.718110 10.10.10.10 gt
10.10.10.102 (frag 251304_at_16)170259.718110
10.10.10.10.45974 gt 10.10.10.102.344 tcp
(frag 3339616_at_0)170259.718110 10.10.10.10 gt
10.10.10.102 (frag 333964_at_16)170259.718110
10.10.10.10.45974 gt 10.10.10.102.478 tcp
(frag 6139316_at_0)170259.718110 10.10.10.10 gt
10.10.10.102 (frag 613934_at_16)170259.718110
10.10.10.10.45974 gt 10.10.10.102.1001 tcp
(frag 4951616_at_0)170259.718110 10.10.10.10 gt
10.10.10.102 (frag 495164_at_16)170259.718110
10.10.10.102.2307 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0170259.718110
10.10.10.10.45974 gt 10.10.10.102.884 tcp
(frag 2869716_at_0)170259.718110 10.10.10.10 gt
10.10.10.102 (frag 286974_at_16)170259.718110
10.10.10.10.45974 gt 10.10.10.102.47557 tcp
(frag 2327516_at_0)170259.728110 10.10.10.10 gt
10.10.10.102 (frag 232754_at_16)170259.728110
10.10.10.10.45974 gt 10.10.10.102.6145 tcp
(frag 6291216_at_0)170259.728110 10.10.10.10 gt
10.10.10.102 (frag 629124_at_16)170259.728110
10.10.10.102.6003 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0170259.728110
10.10.10.102.275 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0170259.728110
10.10.10.102.678 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0170259.728110
10.10.10.102.344 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0170259.728110
10.10.10.102.478 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0170259.728110
10.10.10.102.1001 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0170259.728110
10.10.10.102.884 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0170259.728110
10.10.10.102.47557 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0170259.728110
10.10.10.102.6145 gt 10.10.10.10.45974 R 00(0)
ack 1402132342 win 0
22
Scan for Services
- nmap v g53 sS sR P0 O p 1-65535 o
firewall.out ip_address - v verbose mode, nmap returns additional
information - g53 sets the source port number utilized for
the scans - sS conducts a SYN scan
- sR conducts a RPC scan all the ports found
- P0 do not conduct pings before scanning
- p 1-65535 ports to be scanned
- o firewall.out output file to send the results
to - ip_address the IP address to be scanned
23
Hping2 Options (1)
- The following are the more commonly utilized
hping options - -h help
- -c the number (count) of packets to send
- -n numeric output only, no resolution for host
names - -V verbose output
- -D debug
- -a alternative source IP address
24
Hping2 Options (2)
- -f split the packet into fragments
- -y set the dont fragment IP flag (You can
perform MTU path discovery with this option.) - -o set the Type of Service (TOS)
- -d sets the data size of the packet
- -E filename use the filename file to complete
the data in the packet - -j or J dumps the received packet in hex or
printable characters, respectively
25
Hping2
26
Fragmentation with Hping
- Fragmentation testing
- hping2 V I eth0 --data 40 --count 3 --syn p 22
ip_address - hping2 V --frag I eth0 --data 40 --count 3
--syn p 22 ip_address - V verbose mode
- I eth0 interface name
- --data 40 data size
- --count 3 packet count
- --syn sets the SYN flag
- p 22 sets the destination port
- ip_address sets the destination address
- --frag split packets in more fragments
27
Tcpdump/Windump
- Capture data from the wire
225509.908986 10.10.10.4.4125 gt 10.10.10.1.ssh
S 19596950111959695011(0) win 5840 ltmss
1460,sackOK,timestamp 229493tcpgt
(DF) 225509.908986 10.10.10.1.ssh gt
10.10.10.4.4125 S 28968992092896899209(0) ack
1959695012 win 5792 ltmss 1460,sackOK,timestamp
2245851tcpgt (DF) 225509.908986
10.10.10.4.4125 gt 10.10.10.1.ssh . ack 1 win
5840 ltnop,nop,timestamp 229493 2245851gt
(DF) 225509.918986 10.10.10.1.ssh gt
10.10.10.4.4125 P 126(25) ack 1 win 5792
ltnop,nop,timestamp 2245852 229493gt
(DF) 225509.918986 10.10.10.4.4125 gt
10.10.10.1.ssh . ack 26 win 5840
ltnop,nop,timestamp 229494 2245852gt
(DF) 225509.918986 10.10.10.4.4125 gt
10.10.10.1.ssh P 125(24) ack 26 win 5840
ltnop,nop,timestamp 229494 2245852gt
(DF) 225509.918986 10.10.10.1.ssh gt
10.10.10.4.4125 . ack 25 win 5792
ltnop,nop,timestamp 2245852 229494gt (DF)
28
TCPDumps Role
- Keep a sniffer on the wire to verify the real
results - tcpdump i eth0 n vvv w output.txt
- Listen on interface eth0
- Do not convert addresses to names
- Print in very, very verbose mode
- Save the output to output.txt
- tcpdump r output.txt
- Read the file created
29
Ethereal
- Theres even a GUI based tool!
Step 1 Selecting Capture, Start or CtrlK
brings up the screen to the right. Step 2
Select your options and click OK.
Step 3 The Ethereal Capture screen tracks the
number and type of packets received, while the
packets are displayed on the main window.
30
Correct
- Make sure you make corrections when you find
vulnerabilities
31
Strategy
- Identify Devices
- Understand Vulnerabilities and Risks
- Assess and Secure the Perimeter
- Assess and Secure the DMZ
- Assess and Secure the Internal Environment
32
Vulnerability Assessments
- Nessus
- SARA
- SAINT
- Cerberus
- N-Stealth
33
Nessus
34
SARA
35
Cerberus Internet Scanner
36
N-Stealth
37
Strategy
- Identify Devices
- Understand Vulnerabilities and Risks
- Assess and Secure the Perimeter
- Assess and Secure the DMZ
- Assess and Secure the Internal Environment
38
Nlog
mydb.db
...
80
39
NDiff
- Options available
- http//www.vinecorp.com/ndiff/
ndiff ndiff -b-baseline ltfile-or-taggt
-o-observed ltfile-or-taggt -op-output-port
s ltocufxgt -of-output-hosts ltnmcgt
-fmt-format ltterse minimal verbose
machine html htmlegt
Open Closed Filtered Unfiltered Unknown
New hosts Missing hosts Changed hosts
40
Ndiff Output
41
Conclusion
- Quality Assessments are hard to do well, but it
is possible with the right strategies and tools!
42
Resources
- www.sans.org
- www.tcpdump.org
- www.ethereal.com
- www.insecure.org/nmap/nmap_download.html
- www.stearns.org/p0f/
- www.nessus.org
- www.insecure.org/nmap/nmap-fingerprinting-article.
html - www.saintcorporation.com
- www.cerberus-infosec.co.uk/CIS-5.0.02.zip
- www.nstalker.com
- www.vinecorp.com/ndiff/
Recommended
CrystalGraphics Presentations
