EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.
-
Upload
harold-parsons -
Category
Documents
-
view
225 -
download
0
Transcript of EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.
![Page 1: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/1.jpg)
EECS 4980/6980: Computer Security Slide #1
EECS 4980/6980
Phase 1: Reconnaissance
Phase 2: Scanning
![Page 2: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/2.jpg)
EECS 4980/6980: Computer Security Slide #2
Topics
• Low Tech Reconnaissance• Network Information Sources• DNS Zone Transfers• Network Mapping• Port Scanning• Stealth Scanning• Version Identification• Defences• OS Fingerprinting
![Page 3: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/3.jpg)
EECS 4980/6980: Computer Security Slide #3
Reconnaissance
Collecting security-relevant information about an organization, including:– Locations– Related entities– Personnel: names, phone numbers, email addrs– Privacy or security policies– Network and system configuration– Remote access methods
![Page 4: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/4.jpg)
EECS 4980/6980: Computer Security Slide #4
Low Tech Reconnaissance
1. Social Engineering
2. Physical Break-In
3. Dumpster Diving
![Page 5: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/5.jpg)
EECS 4980/6980: Computer Security Slide #5
Social Engineering
Attacker uses pretext to deceive organization member into giving out confidential information.
Pretexts include personas and reasons:
Personas– New employee– Sysadmin– Manager
Reasons– Lost password– Contact name/phone– Reset password
![Page 6: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/6.jpg)
EECS 4980/6980: Computer Security Slide #6
Social Engineering Defences
• Security Policy– Secure method for password resets.– No requests for passwords.
• Security Awareness Program– Educate personnel about social attacks.– Educate personnel about security policy.
![Page 7: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/7.jpg)
EECS 4980/6980: Computer Security Slide #7
Physical Break-In
• Methods of Entry– Employment.– Enter on someone else’s coat tails.
• Physical Access– Already logged in system.– System with password written down nearby.– Install hardware/software key loggers.– Plug in laptop to Ethernet port.– Take removable media or even hard disks.
![Page 8: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/8.jpg)
EECS 4980/6980: Computer Security Slide #8
Physical Defences
• Security Policy– Personnel cannot enter without card.
– No coat-tailing.
– Policy for ID card replacement/temporary IDs.
• Security Mechanisms– Card reader access.
– Guards.
– Automatic screen locks after 5 minutes.
– Locked file cabinets/drawers.
– Encryption.
![Page 9: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/9.jpg)
EECS 4980/6980: Computer Security Slide #9
Dumpster Diving
Search trash for sensitive information– Usernames and passwords,– Phone directories,– Network diagrams, etc.
2000: Oracle hired IGI (a PI company) to investigate pro-Microsoft groups.– IGI searched trash to discover MS funding of
supposedly independent advocacy groups.
![Page 10: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/10.jpg)
EECS 4980/6980: Computer Security Slide #10
Defences Against Dumpster Diving
• Security Policy– Require special disposal of confidential data.– Includes paper, floppies, etc.
• Security Mechanisms– Paper shredder.– De-gausser.– Burning.
![Page 11: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/11.jpg)
EECS 4980/6980: Computer Security Slide #11
Information Resources• Organization web site
– Check HTML source for comments.– Check robots.txt for interesting files.
• Usenet postings– Search groups.google.com for “@org” postings– comp.security.*, comp.unix.*
• Search news sources about organization:– finance.yahoo.com– news.google.com– Edgar database (www.sec.gov/)
• Send email to invalid address @org– Identify mail server vendor and version.– Email server topology and antivirus defences.
![Page 12: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/12.jpg)
EECS 4980/6980: Computer Security Slide #12
Google Hacking: Keywords
• site: for site-specific searches– site:orgname– keywords: dial, dialup, login, password– job postings listing required
programs/technologies
• link: find related sites– link:sitename
• cache: see deleted pages or old versions– cache:sitename
![Page 13: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/13.jpg)
EECS 4980/6980: Computer Security Slide #13
Google Hacking: Finding Directory Listings
intitle: for text in title, not body.– intitle:index.of “parent directory”– intitle:index.of name size
Combine with site: to specify your target.
![Page 14: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/14.jpg)
EECS 4980/6980: Computer Security Slide #14
Google Hacking: Finding Passwords
UNIX Passwords
intitle:"Index of..etc" passwd
MySql History (often includes passwords)
intitle:"Index of" .mysql_history
See Google Hack Database for more queries.
![Page 15: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/15.jpg)
EECS 4980/6980: Computer Security Slide #15
Domain Name Registration
• http://www.allwhois.com/• whois command
– wildcard search: “whois orgname.”
• Contact names: email, phone, address
• DNS servers
![Page 16: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/16.jpg)
EECS 4980/6980: Computer Security Slide #16
whoisDomain Name: LORAINCCC.EDU Registrant: Lorain County Community College
1005 North Abbe Road Elyria, OH 44035-1691
Contacts: Administrative Contact: Jeff B. Hurd
(440) 555-5555 [email protected]
Technical Contact: Norm D. Lease (440) 555-5556 [email protected]
Name Servers: LC3MS1.LORAIN.CC.OH.US NS1.OAR.NET NS2.OAR.NET
Domain record activated: 20-May-1996 Domain record last updated: 13-Aug-2002
![Page 17: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/17.jpg)
EECS 4980/6980: Computer Security Slide #17
whois> host intel.comintel.com has address 198.175.96.33> whois 198.175.96.33[Querying whois.arin.net][whois.arin.net]Intel Corporation NETBLK-INTEL-IT (NET-198-175-64-0-1) 198.175.64.0 - 198.175.123.255Distributed Network Technical Support INTEL-IT33 (NET-
198-175-96-0-1) 198.175.96.0 - 198.175.96.255
# ARIN WHOIS database, last updated 2004-04-04 19:15# Enter ? for additional hints on searching ARIN's
WHOIS database.
![Page 18: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/18.jpg)
EECS 4980/6980: Computer Security Slide #18
Threats
• Social Engineering– Pose as administrative contact via phone/email to gain
information
• Wardialing– Search telephone exchange for modems
• Domain Hijacking– 1998 redirect of aol.com to autonete.net
• Further network investigation– DNS queries– Network scans of IP address space
![Page 19: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/19.jpg)
EECS 4980/6980: Computer Security Slide #19
DNS Zone Transfer
• List all DNS information for a domain– All hostnames with their IP addresses– MX records list mail servers and backups
• Commands– host –l –v –t any lorainccc.edu– nslookup
• set type=any• ls –d lorainccc.edu
• Defences– ACL for zone xfers only f/ secondary DNS servers– Separate internal and external DNS databases
![Page 20: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/20.jpg)
EECS 4980/6980: Computer Security Slide #20
Network Mapping
• DNS and whois searches have identified networks of interest.
• Next step: mapping the networks• traceroute
– explore network topology– identify firewalls
• ping scan– find currently up hosts
![Page 21: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/21.jpg)
EECS 4980/6980: Computer Security Slide #21
traceroute> traceroute www.eng.utoledo.edutraceroute to green.eng.utoledo.edu (131.183.18.5),
30 hops max, 38 byte packets 1 pc_elan (10.17.0.1) 2 lc3gw2 (10.50.0.83) 3 gwlcc.lorainccc.edu (192.232.30.1) 4 oeb10-sl1-0-2-1c0.columbus.oar.net (199.18.112.49) 5 oebc1-gigeth5-0-0.columbus.oar.net (199.18.199.1) 6 tlp3-atm1-0.toledo.oar.net (199.18.202.53) 7 utoledo-atm2-0s53.toledo.oar.net (199.18.111.230) 8 131.183.252.222 (131.183.252.222) 9 uc7500.utoledo.edu (131.183.1.198)10 cifshomedirs.eng.utoledo.edu (131.183.18.5)
![Page 22: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/22.jpg)
EECS 4980/6980: Computer Security Slide #22
Network Diagramming
• traceroute to multiple internal hosts– identify different paths– identify firewalls that prevent traceroute
• Draw map of network based on traceroutes
• Helpful Tools• firewalk: route tracing tool that bypasses many
firewall configurations that stop traceroute
• neotrace: geographic map of network route
![Page 23: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/23.jpg)
EECS 4980/6980: Computer Security Slide #23
Defences
• Firewalls– Restrict ingress of packet types commonly used
for network mapping, e.g. ICMP.
• Detection– IDS can detect network mapping attempts,
letting you know which IPs are mapping your network.
![Page 24: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/24.jpg)
EECS 4980/6980: Computer Security Slide #24
Ping Scanning
• Send IP packet to each IP address in a network, checking for responses.
• Scan types– ICMP echo– TCP port 80– TCP/UDP specific port– Fragmented packets
![Page 25: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/25.jpg)
EECS 4980/6980: Computer Security Slide #25
Ping Scanning> nmap -sP 10.17.0.0/24Starting nmap 3.50 (
http://www.insecure.org/nmap/ ) at 2004-04-05 13:57 EDT
Host pc_elan.lc3net (10.17.0.1) appears to be up.Host 10.17.0.31 appears to be up.Host 10.17.0.35 appears to be up.Host sun02 (10.17.0.55) appears to be up.Host sun09 (10.17.0.64) appears to be up.Host pc208p01 (10.17.0.66) appears to be up.Host sun14 (10.17.0.80) appears to be up.Host 10.17.0.241 appears to be up.Host 10.17.0.247 appears to be up.Nmap run completed -- 256 IP addresses (54 hosts
up) scanned in 4.510 seconds
![Page 26: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/26.jpg)
EECS 4980/6980: Computer Security Slide #26
Defences
• Firewalls– Refuse ICMP echo ingress.
– Restrict TCP ports to necessary servers• port 80 only to web server
• port 25 only to mail server
• Bypassing defences– Multiple sweeps with different target ports.
– ICMP timestamp and netmask request queries.
– Fragment scans.
![Page 27: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/27.jpg)
EECS 4980/6980: Computer Security Slide #27
Ping Scan vs Firewall
• Firewall Ruleset– pass from any to 10.0.17.31 port 53
– pass from any to 10.0.17.35 port 25
– drop all
• > nmap -sP 10.17.0.0/24Starting nmap 3.50 at 2004-04-05 13:57Nmap run completed -- 256 IP addresses (0 hosts up) scanned in 72.430 seconds
![Page 28: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/28.jpg)
EECS 4980/6980: Computer Security Slide #28
Ping Scan vs Firewall
• Firewall Ruleset– pass from any to 10.0.17.31 port 25 keep state– pass from any port 53 to any keep state– drop all
• > nmap -sP –PS25 10.17.0.0/24– bypasses first rule, finds any hosts listening on port 25
• > nmap -sP –g 53 10.17.0.0/24– bypasses second rule, as packets look like DNS
response
![Page 29: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/29.jpg)
EECS 4980/6980: Computer Security Slide #29
Port Scanning
Method of discovering exploitable communication channels by probing networked hosts to find which TCP and UDP ports they’re listening on.
![Page 30: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/30.jpg)
EECS 4980/6980: Computer Security Slide #30
nmap TCP connect() scan> nmap -sT at204m02(1645 ports scanned but not shown are in state: closed)PORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind443/tcp open https515/tcp open printer2049/tcp open nfs4045/tcp open lockd5432/tcp open postgres5901/tcp open vnc-16000/tcp open X1132775/tcp open sometimes-rpc13Nmap run completed -- 1 IP address (1 host up) scanned in
43.846 seconds
![Page 31: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/31.jpg)
EECS 4980/6980: Computer Security Slide #31
Scanning Techniques• TCP connect() scan• TCP SYN scan• TCP FIN scan• TCP Xmas scan• TCP Null scan• TCP ACK scan• Fragmentation Scan• FTP bounce scan• Idle Scan• UDP scan
![Page 32: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/32.jpg)
EECS 4980/6980: Computer Security Slide #32
TCP connect() scan
• Use connect() system call on each port, following normal TCP connection protocol (3-way handshake).
• connect() will succeed if port is listening.
• Advantages: fast, requires no privileges
• Disadvantages: easily detectable and blockable.
![Page 33: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/33.jpg)
EECS 4980/6980: Computer Security Slide #33
TCP SYN Scan
• Send SYN packet and wait for response– SYN+ACK
• Port is open
• Send RST to tear down connection
– RST
• Port is closed
• Advantage: less likely to be logged or blocked• Disadvantage: requires root privilege
![Page 34: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/34.jpg)
EECS 4980/6980: Computer Security Slide #34
TCP FIN scan• Send TCP FIN packet and wait for response
– No response• Port is open
– RST• Port is closed.
• Advantages: more stealthy than SYN scan• Disadvantages: MS Windows doesn’t follow
standard (RFC 793) and responds with RST in both cases, requires root privilege.
![Page 35: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/35.jpg)
EECS 4980/6980: Computer Security Slide #35
Xmas and Null Scans
• Similar to FIN scan with different flag settings.
• Xmas Scan: Sets FIN, URG, and PUSH flags.
• Null Scan: Turns off all TCP flags.
![Page 36: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/36.jpg)
EECS 4980/6980: Computer Security Slide #36
TCP ACK Scan
• Send TCP ACK packet to specified port– RST
• Port is unfiltered
– No response or ICMP unreachable• Port is filtered
• Used to determine if firewall is simple packet filter that blocks incoming SYN packets or whether it’s a stateful firewall.
![Page 37: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/37.jpg)
EECS 4980/6980: Computer Security Slide #37
Fragmentation Scan
• Modify TCP stealth scan (SYN, FIN, Xmas, NULL) to use tiny fragmented IP datagrams.
• Advantages: increases difficulty of scan detection and blocking.
• Disadvantages: does not work on all Oses, and may crash some firewalls/sniffers.
![Page 38: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/38.jpg)
EECS 4980/6980: Computer Security Slide #38
FTP Bounce Scan
• FTP protocol supports proxy ftp connections, allowing ftp client to request that a server send a file to any IP address.
• Advantages: bypass firewalls by using ftp server behind firewall as proxy for scans, hide identity of scanning host.
• Disadvantages: many ftp servers no longer support proxying.
![Page 39: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/39.jpg)
EECS 4980/6980: Computer Security Slide #39
Idle Scan• Use intermediate “idle” (zero traffic) host that
increments the IP identification header by one for each packet sent.
• Connect to idle host to obtain IP id.• Send SYN packet to port X of target host with
spoofed IP of idle host.• If port is open, target host will send SYN+ACK to
idle host.• Connect to idle host to obtain updated IP id
– If IP id incremented, port X on target was open• Advantage: no IP packets from your IP address
![Page 40: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/40.jpg)
EECS 4980/6980: Computer Security Slide #40
UDP Scan
• Send 0-byte UDP packet to each UDP port– ICMP port unreachable
• Port is closed– Nothing
• Assume port is open (packet may be lost)
• Advantages: Can discover UDP services• Disadvantages: Most hosts limit ICMP error rate
to a small number of packets/second (RFC 1812), making UDP scans of all 65535 ports very slow.– MS Windows doesn’t implement rate limiting.
![Page 41: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/41.jpg)
EECS 4980/6980: Computer Security Slide #41
Version Scanning
• Port scanning reveals which ports are open– Guess services on well-known ports.
• How can we do better?– Find what server: vendor and version– telnet/netcat to port and check for banner– Version scanning
![Page 42: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/42.jpg)
EECS 4980/6980: Computer Security Slide #42
Banner Checking> nc brahms.eecs.utoledo.edu 80GET / HTTP/1.1HTTP/1.1 400 Bad RequestDate: Tue, 06 Apr 2004 14:45:35 GMTServer: Apache/2.0.46 (Unix) PHP/4.3.2Content-Length: 325Connection: closeContent-Type: text/html; charset=iso-8859-1
<html><head><title>400 Bad Request</title></head><body>…<address>Apache/2.0.46 (Unix) PHP/4.3.2 Server at
brahms.eecs.utoledo.edu Port 80</address></body></html>
![Page 43: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/43.jpg)
EECS 4980/6980: Computer Security Slide #43
Version Scanning
1. If port is TCP, open connection.
2. Wait for service to identify self with banner.
3. If no identification or port is UDP, 1. Send probe string based on well-known service.
2. Check response against db of known results.
4. If no match, test all probe strings in list.
![Page 44: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/44.jpg)
EECS 4980/6980: Computer Security Slide #44
nmap version scan> nmap -sV at204m02(The 1645 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99)80/tcp open http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)111/tcp open rpcbind 2-4 (rpc #100000)443/tcp open ssl/http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)515/tcp open printer?2049/tcp open nfs 2-3 (rpc #100003)4045/tcp open nlockmgr 1-4 (rpc #100021)5432/tcp open postgres?5901/tcp open vnc VNC (protocol 3.3)6000/tcp open X11?32775/tcp open status 1 (rpc #100024)
![Page 45: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/45.jpg)
EECS 4980/6980: Computer Security Slide #45
Defences
• Detection– Network Intrusion Detection Systems.– Port scans often have distinct signatures.– NIDS can react to scan by blocking IP address.
• Prevention– Disable unnecessary services.– Filter packets entering network.– Filter packets on each host.
![Page 46: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/46.jpg)
EECS 4980/6980: Computer Security Slide #46
OS Fingerprinting
Identify OS by specific features of its TCP/IP network stack implementation.– Explore TCP/IP differences between OSes.– Build database of OS TCP/IP fingerprints.– Send set of specially tailored packets to host– Match results to identical fingerprint in db to
identify operating system type and version.• Xprobe uses fuzzy matching techniques.
![Page 47: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/47.jpg)
EECS 4980/6980: Computer Security Slide #47
nmap OS fingerprint examples> nmap –O at204m02...Device type: general purposeRunning: Sun Solaris 8OS details: Sun Solaris 8Uptime 10.035 days (since Sat Mar 27 08:59:38
2004)
> nmap –O 10.17.0.1…Device type: routerRunning: Bay Networks embeddedOS details: Bay Networks BLN-2 Network Router or
ASN Processor revision 9
![Page 48: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/48.jpg)
EECS 4980/6980: Computer Security Slide #48
OS Fingerprinting Techniques• FIN probe
– RFC 793 requires no response– MS Windows, BSDI, Cisco IOS send RST
• Bogus flag probe– Bit 7 of TCP flags unused– Linux <2.0.35 keeps flag set in response
• TCP ISN sampling– Different algorithms for TCP ISNs
• IP Identification– Different algorithms for incrementing IPID
![Page 49: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/49.jpg)
EECS 4980/6980: Computer Security Slide #49
OS Fingerprinting Techniques• TCP Timestamp
– Is it supported, and if so, at what rate is it incremented?
• Don’t Fragment bit– Some OSes send packets with Don’t Fragment set.
• TCP initial window size– Some OSes use unique initial window sizes.
• ACK value– Most OSes return ISN on FIN+PSH+URG packet, but
some return ISN+1
![Page 50: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/50.jpg)
EECS 4980/6980: Computer Security Slide #50
OS Fingerprinting Techniques
• Fragmentation Handling– Does first or second fragment of packet broken
into overlapping fragments take precedence?
• TCP Options– Does OS support all options?– Which options does OS set on reply?– What is the order of options and where is NOP
padding added?
![Page 51: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/51.jpg)
EECS 4980/6980: Computer Security Slide #51
OS Fingerprinting Techniques
Denial of Service attack– Launch DOS attacks in order from oldest to
newest, checking for which ones succeed.– OSes have different levels of protection against
DOS attacks depending on type and version.
![Page 52: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/52.jpg)
EECS 4980/6980: Computer Security Slide #52
Passive Fingerprinting
• Identify OSes of hosts on network by sniffing packets sent by each host.
• Use similar characteristics as active technique:– TTL
– MSS
– Initial Window Size
– Don’t Fragment bit
• Tools: p0f
![Page 53: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/53.jpg)
EECS 4980/6980: Computer Security Slide #53
Fingerprinting Defences
• Detection– NIDS
• Blocking– Firewalling– Some probes can’t be blocked.
• Deception– IPpersonality changes Linux TCP/IP stack
signature to that of another OS in nmap db.
![Page 54: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/54.jpg)
EECS 4980/6980: Computer Security Slide #54
Key Points
• Reconnaissance– Don’t forget about low tech means.– Organizations give away more information than
most expect.
• Port Scanning– Find more than just ports: versions, OSes.– TCP/IP implementation differences provide
much useful data.
![Page 55: EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning.](https://reader035.fdocuments.net/reader035/viewer/2022062423/5697c01e1a28abf838cd0ea4/html5/thumbnails/55.jpg)
EECS 4980/6980: Computer Security Slide #55
References1. Matt Bishop, Introduction to Computer Security, Addison-Wesley,
2005.2. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and
Internet Security, 2nd edition, 2003.3. Fyodor, “The Art of Port Scanning,”
http://www.insecure.org/nmap/nmap_doc.html4. Fyodor, NMAP man page,
http://www.insecure.org/nmap/data/nmap_manpage.html5. Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,”
Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting-article.html
6. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
7. Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004.8. Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3rd
edition, McGraw-Hill, 2001.9. Ed Skoudis, Counter Hack, Prentice Hall, 2002.