Scanning

1
Scanning
2
Attack Phases

• Phase 1 Reconnaissance
• Phase 2 Scanning
• Phase 3 Gaining access
• Application/OS attacks
• Network attacks/DoS attacks
• Phase 4 Maintaining access
• Phase 5 Covering tracks and hiding

3
Scanning

• After recon phase attacker has
• Phone numbers, contact info
• Domain names, IP addresses
• Maybe some details about infrastructure
• Next, scanning
• Like burglar trying doors and windows

4
Scanning

• Good guys
• Must secure every entry point
• Must work in a dynamic environment
• Must deal with those pesky users
• Attacker
• Only needs to find one hole
• Can take as long as necessary
• Sadly unfair (all-too-common in security)

5
Scanning Techniques

• War driving
• War dialing
• Network mapping
• Port scanning
• Vulnerability scanning
• IDS and IPS

6
War Driving

• Scan for wireless access points
• Preferably, not secured WLANs
• War driving started by Peter Shipley
• Drove around Bay Area in 2001
• Now a very popular activity
• Defcon has a WarDriving contest (including map of
  open access points)

7
War Driving

• Must be within 100 yards or so to reliably
  send/receive WLAN
• But, detectable from a mile or more
• War driver wants to find ESSID of WLAN
• ESSID Extended Service Set Identifier
• ESSID is WLANs name
• ESSID acts like a password (almost)
• By default, ESSID is sent in the clear
• Can configure access point to not send ESSID

8
War Driving

• 802.11 probe message
• Required to send ESSID in probe msg
• But send any for ESSID and
• some access points respond with ESSID!
• So, Trudy simply asks for ESSID
• And sometimes she gets it
• Can configure to require BSSID (Basic SSID)
• I.e., the MAC address must be on approved list
• This helps, but only a little

9
War Driving

• Many tools available
• Three basic techniques
• Active scanning
• Passive scanning
• Forced de-authentication
• Tools use one (or more) of these

10
NetStumbler

• Active 802.11 scanning tool
• Sends probe packets with any ESSID
• Access point within range might respond
• Like running down the street shouting
• For Windows 2k, also version for PDAs
• Optionally uses GPS to locate access pts
• One hour in NYC found 455 access pts

11
NetStumbler

• Gathers MAC address, ESSID, channel, and signal
  strength
• Also, IP address (using DHCP)
• Whether it is using WEP or not
• Limitations
• Many access pts ignore any ESSID
• Highly unstealthy

12
Wellenreiter

• Passive scanning tool
• Puts wireless card in rfmon mode
• Aka monitor mode
• Better than promiscuous mode
• Gets everything---no connection needed
• Even if encrypted, ESSID still sent in clear
• Can dump packets into Wireshark
• Also interfaces with GPS

13
Wellenreiter

• Gets ESSID, MAC, IP addresses
• Entirely passive
• If access pt not sending ESSID
• Non-broadcasting, name is unknown
• until user authenticates to access pt
• Related tool Kismet
• Detailed packet analysis, not war driving

14
Wellenreiter
15
Forced De-authentication

• Suppose that a particular access pt
• Does not accept any
• Does not broadcast ESSID
• Clients have previously authenticated
• No clients currently communicating
• Invisible to NetStumber, non-broadcasting to
  Wellenreiter
• What can Trudy do?

16
ESSID-Jack

• Assuming Trudy has access pt MAC address
• Get MAC from Wellenreiter, Kismet
• De-authentication requires no authentication
• That is, the ESSID is not required
• Only need access points MAC address
• ESSID-Jack sends de-authentication msg
• Then what happens?

17
ESSID-Jack

• Client(s) automatically re-authenticate
• ESSID-Jack gets ESSID
• So Trudy gets ESSID

18
War Driving Defenses

• Set ESSID to nondescript name
• 1234 instead of BankOfAmerica
• Do not broadcast ESSID
• Require authentication
• MAC address for authentication?
• Easily spoofed
• Unix/Linus tool SirMACsAlot

19
WEP

• WEP Wired Equivalent Privacy
• WEP uses RC4 for confidentiality
• Considered a strong cipher
• But WEP introduces a subtle flaw
• WEP uses CRC for integrity
• Should have used a crypto hash instead
• CRC is for error detection, not integrity

20
WEP Integrity Problems

• WEP integrity does not provide integrity
• CRC is linear, so is stream cipher XOR
• Can change ciphertext and CRC so that checksum
  remains correct --- undetected
• This requires no knowledge of the plaintext!
• Even worse if plaintext is known
• CRC is not a cryptographic integrity check!
• CRC designed to detect random errors
• Not designed to detect intelligent changes

21
WEP Key

• WEP encryption long-term secret key, K
• RC4 is a stream cipher, so each packet must be
  encrypted using a different key
• Initialization Vector (IV) sent with packet
• Sent in the clear (IV is not secret)
• Actual RC4 key for packet is (IV,K)
• That is, IV is pre-pended to K

22
Initialization Vector Issue

• WEP uses 24-bit (3 byte) IV
• Each packet gets a new IV
• RC4 packet key IV pre-pended to long-term key, K
• Long term key K seldom (if ever) changes
• If long-term key and IV are same, then same
  keystream is used
• This is bad!
• It is at least as bad as reuse of one-time pad

23
Initialization Vector Issue

• Assume 1500 byte packets, 11 Mbps link
• Suppose IVs generated in sequence
• Then 1500 ? 8/(11 ? 106) ? 224 18,000 seconds
• Implies IV must repeat in about 5 hours
• Suppose IVs generated at random
• By birthday problem, some IV repeats in seconds
• Again, repeated IV (with same K) is bad!

24
WEP Active Attacks

• WEP Swiss cheese of security protocols
• If Trudy can insert traffic and observe
  corresponding ciphertext
• Then she will know keystream for that IV
• And she can decrypt next msg that uses that IV
• If Trudy knows destination IP address
• She can change IP address in ciphertext
• And modify CRC so it is correct
• Then access point will decrypt and forward packet
  to Trudys selected IP address!
• Requires no knowledge of the key K

25
War Driving Defenses

• WEP is of limited value
• WPA (Wi-Fi Protected Access)
• RC4, 48 bit IV, MIC (named Michael) for
  integrity, replay protection, etc.
• Works with same hardware as WEP
• 802.11i (or WPA2)
• Like WPA but crypto is better (AES)
• Requires different hardware than WEP
• Can try to detect unusual activity
• Turn down the volume

26
Wireless Security

• VPN Virtual Private Network
• Secure tunnel between endpoints
• Not wireless-specific
• But can be used to secure wireless
• VPN provides extra layer of security
• On top of WEP or WPA
• Author says, do not use IKE pre-shared keys in
  aggressive mode

27
War Dialing

• Dial lots of phone numbers
• Looking for unprotected modems
• One PC can scan 1k numbers/night
• The movie War Games (circa 1983)
• Kid tries to break into game company
• and accidentally starts WWIII
• Plot (such as it is) hinges on war dialing

28
War Dialing

• Can this possibly still be an issue?
• User might want to bypass annoying VPN
• Admin might want remote access
• User might install remote access tool
• pcAnywhere, for example
• Only protection from war dialer is pwd?

29
War Dialing

• How to find phone numbers to try?
• Internet, Whois database, organizations Web
  site, social engineering,
• Maybe try numbers with same prefix
• Easy to test 1,000s of numbers

30
THC-Scan

• Free war dialing tool

31
THC-Scan

• Can dial sequence, random, or list
• Random to avoid detection
• Parallel process on multiple machines
• Nudging
• Try to determine useful info
• Can randomize interval between dialing
• Detect jamming (based on busy signals)
• If human answers, hangs up (click)

32
THC-Scan

• Not too user-friendly
• User must look at logs
• Some numbers
• Might not require any password
• Might require special software (pcAnywhere)
• Such info gathered via nudging
• If password is required,
• Trudy can try password cracking

33
War Dialing Defenses

• Modem policy
• When possible, use VPN
• If possible, allow dial-out only
• War dial against yourself
• Find modems before attacker does
• For Windows, can use Windows Management
  Instrumentation (WMI) scripts
• Visual inspection

34
Network Mapping

• At this point, attacker is either
• On the outside looking in
• I.e., on Internet looking at target DMZ
• Has inside access
• Attached to WLAN found war driving
• Connected via a modem found war dialing
• Next, step is to analyze target network
• Looking for potential targets
• Critical hosts, routers, firewalls,

35
Network Mapping

• Mapping tools will be aimed wherever attacker can
  reach
• If outside, map DMZ, Web server, etc.
• If inside, map internal network
• In either case, same tools
• Similar methods

36
Sweeping

• Want an inventory of accessible systems
• Could ping every possible address
• But often blocked by firewall
• Send TCP packets to common port(s)
• Look for SYN-ACK to come back
• Send UDP packets with unusual port
• If closed, may get port unreachable
• But, maybe nothing is sent back

37
Traceroute

• TTL field in IP header
• Usually decremented by each router
• When TTL reaches 0
• Router kills packet
• Sends ICMP time exceeded msg to source
• Traceroute
• UNIX traceroute uses UDP packets
• Windows tracert uses ICMP packets

38
Traceroute

• Map routers from source to dest

39
tracert

• In Windows

40
Ping and Traceroute

• Might find, for example

41
Automated Tool

• Cheops-ng
• Free
• Pretty pictures
• Lots of info (type of OS )
• Useful for admins too

42
Network Mapping Defenses

• Block incoming ICMP packets
• Except those you want outsiders to ping
• Block outgoing ICMP time exceeded
• Except for specific addresses
• Then () responses in traceroute
• Limits attackers ability to map network
• Also limits good uses of these features

43
Port Scanning

• At this point, attacker knows
• Addresses of live systems
• Basic network topology
• Now what? Assume Trudy is outsider
• Trudy wants to determine open ports
• 65k TCP ports and 65k UPD ports
• Well-known ports correspond to services
• Open port is a doorway into machine

44
Port Scanning

• Port scanning
• Knock on doors (ports) to see which are open
• Why not simply try all TCP and UDP ports?
• Not stealthy
• Instead can try limited range
• More stealthy, but might miss something
• Could instead just go slow
• Maybe too slow (or Trudy is too impatient)
• Distributed port scan?

45
Nmap

• Nmap --- most popular port scan tool
• Developed by Fydor
• Free at www.insecure.org
• Unix, Linux and Windows versions
• Command line and GUI
• Appeared in The Matrix Reloaded
• Many many options

46
Nmapfe

• Nmap front end

47
TCP 3-Way Handshake

• Recall the 3-way handshake

48
TCP Connect Scan

• Polite scan
• Complete the TCP 3-way handshake
• Nmap sends SYN, wait for SYN-ACK
• If port is open, Nmap sends ACK, then FIN
• If closed, no reply, RESET, ICMP unreachable
• Plusses?
• Should not cause problem for target
• Minuses?
• Not stealthy, Trudys IP address in logs, etc.

49
TCP SYN Scans

• Nmap sends SYN
• Gets SYN-ACK, ICMP unreachable, etc.
• In any case, Nmap sends RESET
• I.e., only 2/3rds of 3-way handshake completed
• Plusses?
• Stealthier (may not be logged by host)
• Faster, fewer packets
• Minuses?
• Accidental DoS attack?

50
FIN Scan

• FIN scan
• Send FIN for non-existent connection
• Port closed, protocol says send RESET
• Port open, protocol says nothing
• No reply may indicate port is open

51
Xmas Tree and Null Scans

• Xmas tree scan
• All flag bits set URG,ACK,PSH,RST,SYN,FIN
• Null scan
• Send packet with no flag bits set
• Both of these violate protocol
• Expect same behavior as FIN scan
• Note These do not work against Windows
• Since Windows does not follow the RFCs

52
TCP ACK Scan

• Simpleminded packet filter might
• Allow outbound, established connections
• Block incoming if ACK bit not set

53
TCP ACK Scan

• Packet filter assumes
• ACK bit set ? established connection
• How can Trudy take advantage of this?
• Send packets with ACK bit set!
• These pass thru open ports
• Allows for simple port scan of firewall

54
TCP ACK Scan

• No response/unreachable filtered
• RESET if port is not filtered

55
TCP ACK Scan

• Trudy learns
• Kinds of established connections that are allowed
  thru packet filter
• ACK scan used to determining filtering rules
• ACK scan not so useful for scanning open ports on
  a host
• Different OSs respond differently
• Some RESET if port is open, some if port closed

56
FTP Bounce Scan

• Obscures source of scan
• So Trudys address not logged
• Stealthy
• Relies on FTP forwarding
• User can request that a file be forwarded to
  another machine
• Mostly disabled today

57
FTP Bounce Scan

• FTP server informs attacker of result

58
Idle Scanning

• Suppose no forwarding FTP server
• Another way to obscure source of scan
• IP header has ID field
• Used to group fragments together
• ID must be unique per packet
• Often just increment a counter (Windows)

59
Idle Scanning

• Pick a machine to blame for scan
• Blamed machine
• Attacker must be able to send/receive
• Must have predictable IP IDs
• Mostly idle, does not send much traffic (why?)
• So IP IDs are predictable
• Make it look like this machine scans
• See next slide

60
Idle Scanning

• Prepare to scan

61
Idle Scan

• For the scan
• Attacker sends spoofed SYN to target
• Source is the blamed machine
• Selected port
• Port listening SYN-ACK to blamed machine
• Blamed machine sends RESET to target
• Port closed RESET/nothing to blamed
• Blamed machine sends nothing
• So what???

62
Idle Scanning

• Recall, last IP ID is X (next is X 1)

63
Idle Scan

• Very clever!
• Nmap automates this
• May need to repeat multiple times
• If blamed guy is not idle enough
• May want to use several blamed guys
• Other improvements?

64
UDP?

• Much simpler, so fewer scan options
• Not so easy to violate protocol
• Nmap provides polite scan
• Not stealthy
• If ICMP unreachable, port is closed
• If UDP packet sent back, then port is open
• If nothing comes back dont know

65
Version Scanning

• Nmap detect service/software on a port
• In case service does not use official port
• And to determine software version
• Can determine services that use SSL
• After 3-way handshake, service usually identifies
  itself
• If not, Nmap sends some probing packets
• UDP services are similarly easy to ID

66
Ping Sweeps

• Nmap provides ping sweeps too
• If incoming ICMP blocked, Nmap does sweep using
  TCP packets
• To find live hosts, not as a port scan

67
RPC Scans

• Nmap can scan for RPC applications

• RPC is for distributed apps
• Makes distributed app easy to program

68
RPC Scans

• Familiar RPC services (Linux/UNIX)
• Rpc.rstatd performance stats from kernel
• Rwalld msgs to logged in users
• Rup up time and load avg of a service
• Sadmind older service for Solaris admin
• Rpc.statd used with NFS
• Many vulnerabilities in RPC
• RPC scan may provide useful info to attacker

69
Source Port

• Nmap can set source port
• To avoid filtering at target
• Might set source port to 80 or 25
• Looks like Web traffic, email
• Source port 20 also useful
• Looks like FTP data connection
• Why FTP?

70
FTP

• Difficult for simple packet filter
• Due to control connection (port 21) and data
  connection (port 20)
• UDP port 53 (DNS) also a good choice

71
Decoys

• Spoofed source addresses
• If attacker uses n decoys
• Then n 1 packets sent to each port
• One with correct source address (except for FTP
  bounce or idle scans)
• and n with specified spoofed sources
• What good does this do?

72
Active OS Fingerprinting

• Attacker wants to know the OS
• How to do this?
• RFCs do not specify everything
• E.g., how to respond to illegal combinations of
  TCP control bits
• Nmap knows the inconsistencies

73
Active OS Fingerprinting

• Nmap uses the following
• SYN packet to open port
• NULL packet to open port
• SYNFINURGPSH to open port
• ACK to open port
• FINPSHURG to closed port
• UDP packet to closed port

74
Active OS Fingerprinting

• Predictability of initial sequence numbers also
  used by Nmap
• Nmap has database of gt 1000 platforms
• Xprobe2 --- active OS fingerprinting tool
• Stealthier and more accurate than Nmap
• Passive OS fingerprinting is possible
• No traffic sent to target
• Sniff packets sent by target
• This is covered in Chapter 8

75
Nmap Timing Options

• Paranoid --- one packet per 5 minutes
• Sneaky --- one packet per 15 seconds
• Polite --- one packet per 0.4 seconds
• Normal --- as quickly as possible
• Aggressive --- wait max of 1.25 sec for reply
• Insane --- Wait max of 0.3 sec for reply
• Will lose packets, resulting in false negatives
• Timing also customizable

76
Fragmentation

• Nmap also allows fragmentation
• Helps against some IDS systems
• Discuss later

77
Port Scanning Defenses

• Harden the system
• Close unused ports
• Minimize services/tools
• Check ports in use

78
Port Scanning Defenses

• Scan yourself using Nmap
• But this can cause problems
• Use more intelligent firewalls
• Stateful packet filters or proxies
• instead of packet filters

79
Firewalk

• Determines what gets thru firewall
• Assuming a packet filter firewall
• Nmap vs Firewalk
• Nmap does port scan of hosts
• What happens if you Nmap a firewall?
• Tells you ports firewall is listening on
• But, you want to know filtered ports

80
Firewalk

• Nmap vs Firewalk
• But what about Nmap ACK scan?
• Attacker learns which ports firewall allows
  established connections
• But SYN packets might be dropped
• Firewalk tells attacker ports that firewall
  allows new connections on
• More useful info to attacker

81
Firewalk

• Requires 2 IP addresses
• Address before filtering takes place (i.e.,
  external address of firewall)
• Destination on other side of firewall
• Firewalk has 2 phases
• Network discovery (like traceroute)
• Actual scanning

82
Firewalk

• Network discovery phase
• Use TTL to find hops to firewall

83
Firewalk

• Scanning phase
• Packet sent to host behind firewall

• Note this works even if NAT is used

84
Firewalk

• TTL field crucial to Firewalk
• Packet filter and stateful packet filters both
  decrement TTL field
• So Firewalk can work against these
• Application proxy firewall?
• Proxy does not forward packet
• Instead, creates a new packet so what?

85
Firewalk

• How can Trudy use Firewalk results?
• To install software, must know which ports can be
  used
• Scan for new services on open ports
• Example SSH (TCP port 22) open, but no SSH not
  available
• SSH temporarily activated by admin

86
Firewalk Defenses

• Learn to live with it
• Since based on TCP/IP fundamentals
• Focus on better firewall rules/mgmt
• Use proxy-based firewall
• Might create problems
• Likely to be much slower

87
Attack So Far

• Trudy knows
• Addresses of live hosts (ping, Cheops-ng)
• Network topology (Traceroute, Cheops-ng)
• Open ports on live hosts (Nmap)
• Services version numbers (Nmap)
• OS types (Nmap, Xprobe2)
• Ports open thru firewall (Firewalk)

88
Vulnerability Scanning

• Now what?
• Trudy want to know vulnerabilities
• Tools automate process
• Connect to host, test for vulnerabilities
• Types of vulnerabilities
• Configuration errors
• Default configuration weaknesses
• Well-known (published) vulnerabilities
• 100s to 1000s of vulnerabilities

89
Vulnerability Scanning Tools

• Tools typically employ the following
• Vulnerability database
• User configuration
• Scanning engine
• Knowledge base of current scan
• Results/report/repository

90
Vulnerability Scanning Tools
91
Vulnerability Scanning Tools

• Commercial tools include
• Harris STAT Scanner
• ISSa Internet Scanner
• CFI LANguard Scanner
• E-eyes Retina Scanner
• Qualyss QualysGuard (subscription based)
• McAfees Foundstone Foundscan (also subscription
  based)

92
Nessus

• Nessus --- the most popular free vulnerability
  scanning tool
• Can write your own vulnerability checks and lots
  of people have already done so
• Nessus plug-ins
• More than 1,000 plug-ins in categories

93
Nessus Plug-Ins

• Categories of plug-ins are
• Backdoors, CGI abuses, Cisco, Default UNIX
  accounts, DoS, Finger abuses, Firewalls, FTP,
  Gain shell remotely, Gain root remotely, General,
  Misc, Netware, NIS, P2P file sharing, Remote file
  access, RPC, SMTP, SNMP, Windows, Useless
  services
• Each category 2 to 100s of vulnerabilities

94
Nessus Architecture

• Client-server architecture
• Client-server authentication, encryption, etc.

95
Nessus

• Attacker selects
• Plug-ins, target system, port range/type of
  scanning, port for Nessus client-server
  communication, encryption alg, email address for
  report
• Attacker can also write scripts

96
Nessus Report

• Nessus report format
• Other tools make Nessus report more readable and
  informative

97
Vulnerability Scan Defenses

• Close unused ports
• Install latest patches
• Run tools against your network
• Be careful of DoS

98
Nessus DoS Options

• Some risky, some not
• Pwd guess could also be problem

99
Limitations of Vulnerability Scanning Tools

• Only detect known vulnerabilities
• Tools dont understand network architecture
• Attacker might
• Only gives a snapshot in time
• Environment is dynamic

100
IDS (and IPS)

• Scanning tools are noisy
• Port scan may use 10,000s of packets
• Vulnerability scan may send 100,000s or millions
  of packets
• IDS likely to notice such activity
• Attacker must try to evade IDS

101
IDS

• Mostly signature based

102
IDS Evasion

• To avoid signature detection
• Change traffic
• Change packet structure or syntax
• Change the context
• IDS might not know full context

103
IDS Evasion at Network Level

• Fragments create problem for IDS
• Must reassemble fragments
• Attacker could
• Use fragments --- IDS may not handle it
• Fragment flood --- overwhelm IDS
• Fragment in unusual ways --- to exploit weakness
  in IDS handling of fragments

104
Fragmentation

• Tiny fragments
• Not too effective vs modern IDS

105
Fragmentation

• Fragment overlap
• Handled differently by different OSs
• Which makes IDSs job is more difficult

106
FragRouter and FragRoute

• FragRouter --- fragmentation tool
• Options include
• Various sized fragments
• Various overlapping schemes
• Separates fragmentation from the attack

107
IDS Evasion at App Level

• Nitko --- CGI scanner (IDS evasion)
• CGI scripts run on server, activated by user on
  the network
• Large number of CGI scripts vulnerable
• Nessus does some CGI scanning
• Nitko much more sophisticated
• For attacks, makes subtle changes in HTTP to
  evade signature detection

108
Nikto

• IDS evasion strategies
• Hex equivalents of characters, Change to
  current directory, URL does not include CGI
  script info (instead, placed in HTTP header),
  Long (nonexistent but ignored) directory name,
  Fake parameter(s), TAB separations (instead of
  spaces), Case, Windows delimiters (backslash),
  NULL method, Session splicing (separate TPC
  packets, not fragments)

109
IDS Evasion Defenses

• Use IDS, regardless of attacks
• Keep signatures up to date
• Use host-based network-based IDS
• For example, fragmentation attack easier to
  detect with host-based defense

110
Conclusion
111
Summary