You'Re Being Watch - Cyber Crimes Scans

8/3/2019 You'Re Being Watch - Cyber Crimes Scans

http://slidepdf.com/reader/full/youre-being-watch-cyber-crimes-scans 1/6

20 Novell Connection March 2001

Editor’s Note: T his article supplements Laura Chappell’s sessionTUT 233, “Cyber Crime at Packet-Level,” at Novell BrainShare2001 in Salt Lake City. (For more information about N ovell BrainShare 2001, visit www.novellbrainshare.com.)

s the following headlines show, last year was a busy yearfor hackers:

• “Hacker Pleads Guilty in New York City to Hacking IntoTwo NASA Jet Propulsion Lab Computers Located in Pasa-dena, California” (December 1, 2000)

• “Orange County Man Pleads Guilty to Hacking Into Gov-ernment Computers” (November 7, 2000)

• “Nine Are Indicted for Un lawfully Accessing Computers of U.S. Postal Service, State of Texas, and Canadian Depart-ment of Defense” (October 12, 2000)

• “Three Kazak Men Arrested in London for Hacking IntoBloomberg L.P.’s Computer System” (August 14, 2000)

• “‘Darkside Hacker’ Sentenced to 21 Months in Prison” (July24, 2000)

Before launching these attacks, the hackers engaged insome reconnaissance, or information-gathering, processes suchas the following:

• Social Engineering. By taking advantage of employees’ unsus-pecting nature, hackers can obtain important information abouta company’s network. For example, a hacker may pose as anexecutive’s secretary and call the company’s IS department, say-

ing, “I’m Mr. Markson’s secretary. Unfortunately, Mr. Marksonleft his presentation on his desktop computer. I need his pass-word to retrieve the file and send it to him.” Or a hacker maypose as an IS technician and ask individual users for permissionto time their workstations’ response times as they log in. Of course, the hacker t hen writes down these users’ passwords if those passwords are passed in clear text form.

• Security Leaks. If you lock your front doors but leave yourwindows open, you are susceptible to a break-in. Likewise,employees who leave confidential information in plain viewon their desk or on white boards make their company sus-ceptible to hackers. Employees may also make their company

vulnerable by failing to secure sensitive information, such aspasswords and access lists.

• Scanning, Probing, and Listening. Using standard queryingtechniques and relying on their understanding of network com-munications and configurations, hackers actively and passivelygather information about a company’s network activity.

This article (and the accompanying Novell BrainShare2001 presentation) examines the types of scans hackers useto identify and characterize network devices. Specifically, thisarticle focuses on the evidence that a scan has occurred—evidence that you can find by analyzing the packet-level com-munications that cross the wire. After you understand thetypes of scans hackers use, you can build filters for your proto-col analyzer to detect scans before hackers can actually launcha cyber attack.

Scanning techniques fall into the following categories:

• Address Resolution Protocol (ARP) scans

• Internet Cont rol Messaging Protocol (ICMP) scans• User Datagram Protocol (UDP) Port scans• Transmission Control Protocol (TCP) scans

ARP SCAN

Before communicating with a host, an IP device must ob-tain the hardware address of the destination host or the next-hop router along the path to the host. The IP device sendsARP broadcasts to resolve the hardware address of the desti-nation with the known IP address.

Hackers can discover active devices on the local network segment by sending a simple series of ARP broadcasts and in-

You’re BeingWatchedCyber-Crime Scans

N O V EL L C ER T I F I ED P R O FE S S I O N A L

Laura Chappell

A

I l l u s t r a t i o n : D e b b i e R e y n o l d s



crementing the value for the target IP ad-dress field in each broadcast packet. Forexample, Figure 1 shows an ARP scan inprogress. (The trace files shown in thisarticle are available online at www.packet-level.com/traces.htm. The tracefiles are available in both Sniffer [.cap]format and EtherPeek [.pkt] format. Snif-fer is a protocol analyzer available fromNetwork Associates Inc. EtherPeek is aprotocol analyzer available from WildPackets Inc.)

The ARP scan is foolproof: Every IPdevice on a network segment must re-spond when its IP address is broadcastin an ARP request.

ICMP SCAN

ICMP provides error and informationmessages across the internetwork. Inaddition, hackers can use ICMP to dis-cover information about active deviceson the network. You should monitor thefollowing ICMP scans on your compa-ny’s network:

• ICMP Echo (ping) scans• ICMP Router Solicitation scans• ICMP Address Mask scans

ICMP Echo (Ping) ScanThe ICMP Echo scan is the most sim-

plistic discovery method and the easiest to

detect. By sending a series of ICMP echorequest (ICMP type 8) packets to variousIP addresses, a hacker can determinewhich systems are active (or “alive”).Knowing that Intruder Detection Systems(IDSs) are designed to catch this type of discovery sequence, hackers vary the des-

tination devices or delay the ping intervalby minutes, hours, or even days.

The most efficient way to launch anICMP Echo scan is to send pings to thebroadcast address. Typically, T CP/IPstacks won’t allow this type of packet tobe sent, so hackers must use special utili-ties and packet generators to perform thistype of scan.

ICMP Router Solicitation ScanThe ICMP Router Solicitation scan

is used to actively find routers on a net-work. Of course, a hacker could set upa protocol analyzer to detect routers asthey broadcast routing information onthe network. In some instances, how-ever, routers may not send updates. Forexample, if the local network does nothave other routers, the router may beconfigured to not send routing infor-mation packets onto the local network.

ICMP offers a method for router dis-covery. Clients send ICMP router solici-tation multicasts onto the network, androuters must respond (as defined in RFC1122). (For more information about theprocess of ICMP router solicitation, see“Routing Sequences for ICMP” on p. 32.)

By sending ICMP Router Solicitationpackets (ICMP type 9) on the network and listening for ICMP Router Discoveryreplies (ICMP type 10), hackers can builda list of all of the routers that exist on anetwork segment. Hackers often use thisscan to locate routers that do not reply toICMP echo requests.

ICMP Address Mask ScanHackers use the ICMP Address Mask

scan to locate active devices on the net-

work. During an ICMP Address Mask scan, a host sends out Address Mask re-quests (ICMP type 17) and listens forAddress Mask replies (ICMP type 18).

Originally, ICMP Address Mask re-quest packets were designed to obtain thelocal subnet mask for a client. Today,however, this functionality is not usedbecause IP addresses and subnet masks areeither assigned manually at the client orassigned automatically through DynamicHost Configuration Protocol (DHCP).


NOV ELL CERT I F I ED P ROF ES S I ONA LYou’re Being Watched

Figure 1. This ARP scan has identified 10 IP clients and their hardware addresses.

Figure 2. This UDP scan indicates that UDP port 75 and 79 are open.





SCAN TYPE

ARP scans

ICMP Echo (Ping) scans

ICMP Router Solicitation scans

ICMP Address Mask scans

UDP Port scans

Vanilla TCP Connect scans

TCP Half-Open scans

TCP FIN scans

TCP XMAS scans

DESCRIPTION OF FILTER

Filter on 0x0806 in the Type field of the

Ethernet II header.

Filter on the value 1 in the IP protocol

field (indicating ICMP) and the values 8

(Echo) and 0 (Echo Reply) in the ICMP

type field.



(Router Solicitation) and 10 (Router Ad-

vertisement) in the ICMP type field.



(Address Mask request) and 18 (Address

Mask reply) in the ICMP type field.

Filter on the value 11 in the IP header

(indicating UDP) and a minimal packet

size (value 28 in the IP total length field).


protocol field (indicating TCP) and the

TCP flag field values 2 (SYN flag bit) or

12 (SYN and ACK flag bits).



TCP flag field value 2 (SYN flag bit).


protocol field (indicating TCP) and thevalue 11 in the TCP flags field (the FIN

and ACK bits).

Filter on the value 6 in the IP header pro-

tocol field (indicating TCP) and the value

29 in the TCP flags field (the URG, PSH,

and FIN).

THRESHOLD

ARPs are common. If a network experi-

ences a high number of ARPs at one time

or sequential ARP destinations, however,

examine the source.

Pings should be limited on the network.

Consider setting an alarm threshold at 50

ping packets per second. Be alert to the

source of ping packets, and consider re-

stricting incoming pings from the Internet.

Examine the network design to determine

whether or not these packets are normal:

Do hosts obtain their router information

using this protocol? If not, consider dis-

abling ICMP router advertisement re-

sponses and filtering on these packets.

Examine the network to determine if this

protocol is used intentionally. If not, con-

sider filtering on these packets and exa-

mining the source of the request packets.

These packets should never occur on the

network. They serve no purpose except as

port scans. These scans can throw mean-

ingless data after the UDP header, so you

may need to adjust the total length value.

Since TCP handshakes are a normal part

of TCP network operations, you should not

be alarmed by these packets unless they

become excessive. Watch the number of

these packets that occur on the network.

TCP handshakes are a normal part of

TCP network operations. Do not be

alarmed by these packets unless you

have a much greater number of SYN

packets than SYN ACK packets. This

situation indicates half-open connections.

The FIN and ACK flags are used to close

TCP connections. However, an excessivenumber of these packets indicate a pos-

sible problem. Set an alarm threshold for

50 FIN ACKs per second, and monitor

this threshold closely.



a scan.

continued on p. 28

Cr eating Fil ter s to Detect Cyber Attacks



UDP PORT SCAN

Hackers use UDP Port scans to iden-tify listening UDP ports on a target host.These port numbers identify the UDP-based application-layer protocols, suchas Trivial File Transfer Protocol (TFTP),which are running on a target device.

UDP scan packets include the data-link header, an IP header, and a UDP header.That’s all. By varying the destination portnumber value in the UDP header andwatching the responses, a hacker can de-termine which UDP ports are listening onthe target device. If a target device doesnot listen on a port, t he device replieswith an ICMP: Destination unreachable(Port unreachable) packet. (See Figure 2on p. 22.)

As you can see in Figure 2, the targethost 10.0.0.9 does not send an ICMP re-sponse for ports 75 (dial-out service) or 79(finger). This indicates that those ports areprobably listening. As you can see by thesource and destination port numbers, theUDP Port scan shown in Figure 2 is beingperformed in sequent ial order. A sophi-sticated hacker would most certainly varythe port numbers to avoid detection.

TCP SCAN

Hackers use TCP scans to identify ac-tive devices and their TCP-based applica-tion-layer protocols. TCP scans exploiteither the TCP handshake process or theTCP connection maintenance process.

Seven types of TCP scans are com-monly used:

• Vanilla TCP Connect scans• TCP Half-Open scans

• TCP FIN scans• TCP XMAS scans• TCP NULL scans• TCP ACK scans• TCP SYN/FIN with Fragments scans

Vanilla TCP Connect ScanHackers use the Vanilla TCP Con-

nect scan to identify listening TCP portson a target device. These port numbersidentify the TCP-based application-layerprotocols (such as HTTP or FTP) thatare running on the target device.

Most of the moreimportant application-layer protocols useTCP as their transportmethod. TCP relieson a connection se-quence that startswith a TCP hand-shake. (For more in-formation about theTCP handshake pro-cess, see “Inside theTCP Handshake,” N ovell Connection,Mar. 2000, pp. 34–35.

You can download this article from www.ncmag.com/past.) This TCP connectionsequence can be used to determinewhich listening ports are available ona target device.

During the Vanilla TCP Connectscan, a hacker sends the first packet of the handshake sequence with the Syn-chronize flag (SYN) set to the intendedtarget device. If the target port is closed,the target device sends a TCP reply withthe Reset (RST) flag set. If the target

port is open, the target device sends aTCP reply with the SYN and Acknow-ledgment (ACK) flag set. Finally, thehacker sends an ACK response to com-plete the three-way TCP handshake.(See Figure 3 on p. 30.)

Some IDS devices won’t log this pro-cess as a hacking attempt because theconnection was completed successfully.If the hacker does not send the finalACK packet, however, the connectionwill be left in a half-open state. Thismay trigger an IDS alarm.

TCP Half-Open ScanHackers use the TCP

Half-Open scan to de-tect the listening portson a t arget device. Un-like the Vanilla TCPConnect Scan, TCPHalf-Open scans do notinclude the final ACKpacket, the third packetof the TCP three-wayhandshake.

Note. You can usethe Windows NET-

STAT utility to identify the half-openconnections on your company’s network.

TCP FIN ScanHackers use the TCP FIN scan to

identify listening TCP port numbersbased on how the target device reactsto a transaction close request for a TCPport (even though no connection mayexist before these close requests aremade). This type of scan can getthrough basic firewalls and boundary



continued from p. 24

SCAN TYPE

TCP NULL scans

TCP ACK scans

TCP SYN/FIN with Fragments scan

DESCRIPTION OF FILTER



value 0 in the TCP flags field (no flag

bits set).



value 10 in the TCP flags field (the

ACK bit).



value 1 in the More to Come bit in the

IP header.

THRESHOLD



a scan.

These packets are used to acknowledge

receipt of data. A high number of these

packets, however, may signal a possible

scan underway.

If these packets are minimum size (frag-

mented within 20 bytes after the IP head-

er), they should never occur on the net-

work. They serve no purpose except as a

scan. b



routers that filter on incoming TCPpackets with the Finish (FIN) and ACKflag combination. The TCP packets usedin this scan include only the TCP FINflag setting.

If the target device’s TCP port isclosed, the target device sends a TCP

RST packet in reply. If the target de-vice’s TCP port is open, the targetdevice discards the FIN and sends noreply. Figure 4 shows the TCP flagsfield when the FIN scan is used.

TCP XMAS ScanHackers use the TCP XMAS scan to

identify listening TCP ports. This scanuses a series of strangely configured TCPpackets, which contain a sequence num-ber of 0 and the Urgent (URG), Push(PSH), and FIN flags. Again, this typeof scan can get through some basic fire-walls and boundary routers that filter onincoming TCP packets with standardflag settings.

If the target device’s TCP port isclosed, the target device sends a TCPRST packet in reply. If the target de-vice’s TCP port is open, the target dis-cards the TCP XMAS scan, sendingno reply.

TCP NULL ScanHackers use the TCP NULL scan to

identify listening TCP ports. This scanalso uses a series of strangely configuredTCP packets, which contain a sequencenumber of 0 and no flags. Again, thistype of scan can get through some fire-walls and boundary routers that filter onincoming TCP packets with standardflag settings.

If the target device’s TCP port isclosed, the target device sends a TCPRST packet in reply. If the target de-vice’s TCP port is open, the targetdiscards the TCP NULL scan, sendingno reply.

TCP ACK ScanHackers use the TCP ACK scan toidentify active web sites that may notrespond to standard ICMP pings becausethese web sites have been configured notto respond to these pings. The TCPACK scan uses TCP packets with theACK flag set to a probable port num-ber—a port number that is most likelyopen on the destination. For example,port 80 is the standard port used forHTTP communications. (Figure 5



Figure 5. The TCP ACK scan packet can go through firewalls to test for active systems.

Figure 3. The TCP Port scan indicates that the destination device supports telnet.

Figure 4. The breakdown of the TCP FIN flag setting in the TCP header.



shows the flag setting used in TCPACK scan packets.)

The purpose of the TCP ACK packetis to simply determine if the host is ac-tive. Also, hackers do not then need touse the ping packet.

If the target device is available andthe HTTP port is open, the target de-vice sends a TCP RST packet in reply.

TCP SYN/FIN With Fragments ScanHackers often use the TCP SYN/FIN

With Fragments scan to bypass a filter-

ing device. To perform this scan, hackersfragment a packet inside the TCP head-er. Unless the filtering device reassem-bles the packet, th is device will not knowthat the incoming packet is a TCP SYN/ FIN packet.

CATCHING SCANS WITH A

PROTOCOL ANALYZER

Using a protocol analyzer, you caneasily set up a series of filters that canidentify the flag patterns used in scanpackets. For example, in Figure 6, I

created a filter to catch all TCP XMASscan packets. These packets contain thevalue 0x29 at the flags’ offset in theTCP header.

“Creating Filters to Detect CyberAttacks” on page 24 will help you iden-tify the most common types of scans and

the filters you can use to detect these at-tacks. In some cases, a single packetsignals a problem on the network. Inother cases, a low threshold should t rig-ger an alarm.

Since performing a scan is the firststep to launching a cyber attack, detect-ing scans as quickly as possible is im-portant. For more information aboutbuilding advanced filters for your pro-tocol analyzer, see the “Advanced Pack-et Filtering” article, which is posted on-line at www.packet -level.com. You canalso attend the “Advanced Network Analysis” session TUT231 at BrainShare2001 in Salt Lake City.

Laura Chappell has just released Advanced Network Analysis Tech-niques , which is available online at www. podbooks.com. b


Figure 6. The TCP XMAS filter

For more inf ormation, visit www.ncmag.com/advertise.html.

Please visit our advertiser

Castelle

at www.castelle.com.

You'Re Being Watch - Cyber Crimes Scans

Documents

Transcript of You'Re Being Watch - Cyber Crimes Scans