1 CSCD434 Lecture 8 Spring 2014 Scanning Activities Network Mapping and Scanning.

1

CSCD434

Lecture 8Spring 2014

Scanning ActivitiesNetwork Mapping and Scanning

Review

• Recall where we are going–Phases of Attack1. Reconnaissance2. Scanning

Finding machines and servicesVulnerability Scanning

3. Gaining Access – Attacks4. Maintaining Access5. Covering Tracks and Hiding

Assume Attacker is Serious

In previous slide … Attacker is dedicated and serious Wants to access systems to make

money Will dedicate time and resources to

accomplish goals

Scanning

• After Reconnaissance (whois, google hacks, dig)– What do Attackers Know?

• IP Addresses of network• Domain names,• Technical contact information• Telephone numbers,• Physical address• Mail servers, possible operating systems

servers

Scanning

• What more do they need before attacking?– Two Levels of Information1. Map of your network, Network Mapping

• Ideally, location of every internal machine with sensitive information

• Company Data Bases,• Critical servers, Intranet machines• Firewalls, • Intrusion Detection Systems,• and Routers

Scanning

2. Services running on each host

Port Scanning

–Services and OS's• Server services

– DNS, Web, Mail, FTP, Database,– File Servers – NFS

• Operating Systems– Cisco, Windows, Vista, Linux, Mac

others ...

Scanning

• Why do we (hackers) need to identify computer Services?

8

Introduction to Port Scanning

Port Scanning Finds out which services are offered by a host

Identifies vulnerabilities Open services

Identify a vulnerable port Launch an exploit

Scan all ports Not just well-known ports

Ping Scan Is the simplest scan to find out if the machine is even up

9

Introduction to Port Scanning

Port scanning programs report Open ports Closed ports Filtered ports Best-guess assessment of which OS is running

Types of Port Scanning TCP SYN Scanning – “half open” scanning

Sends a SYN packet to each remote port. Open ports respond with a SYN/ACK packet Closed ports usually respond with an RST packet.

TCP FIN Scanning – Sends a FIN packet (normally sent to clear connection when conversation is finished)

Closed ports usually respond with an RST packet Open ports usually ignore FIN packets.

UDP Scanning – more difficult than TCP since UDP services may not respond

If a ICMP “port unreachable” message is received, however, it is an indication the service is NOT running.

Types of Port Scanning

Fragmentation Scanning – break scan up into several smaller packets

This may result in being able to hide the scan from firewalls and IDS.

Relay or bounce scanning – send scan through another system (proxy or forwarding gateway)

May confuse/hide origin of attack Decoy scanning – send a large number of spoofed

packets along with your real one So they hide the real scan

12

Examples of Scans

13

Normal TCP Handshake

Client SYN ServerClient SYN/ACK ServerClient ACK Server

Client

After this, you are ready to send data

14

SYN Port Scan

Client SYN ServerClient SYN/ACK ServerClient RST Server

Client

The server is ready, but the client decided not to complete the handshake

15

Types of Port Scans

SYN scan more details Stealthy scan, because session handshakes are never completed

Keeps it out of some log files Three states

Closed

Open

Filtered Filtered means that firewall, filter, or other network

obstacle is blocking port so that Nmap cannot tell whether it is open or closed

16

Types of Port Scans

Connect scan Completes the three-way handshake Not stealthy--appears in log files Three states

Closed

Open

Filtered

17

Types of Port Scans

NULL scan All packet flags are turned off Two results

Closed ports reply with RST

Open or filtered ports give no response

18

Types of Port Scans

Ping Scan Simplest method sends ICMP ECHO REQUEST to the destination(s)

TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap)

Any response shows the target is up It is this one that is used mostly for Network Mapping

Examples follow ...

19

Network Mapping

20

Network Mapping

• Looking for ...

– Looking for critical hosts, routers, firewalls

– If no prior knowledge, will begin by scanning machines that can be reached

• Web, Mail, Ftp, DNS servers

– Probe systems trying to understand Internet perimeter

– If internal knowledge, start scanning and mapping network

21

Network Mapping• Can ping all possible hosts on your network

using Nmap, http://www.insecure.org• Reference Guide http://nmap.org/book/man.html

• Send an ICMP echo request– Looking for a response to a ping

• ICMP echo reply– What if ICMP messages are blocked?

• Could send TCP packets to commonly open ports Web - 80 or email - 25 $ nmap –PT80 192.168.0.1 <= TCP Ping ScanUse nmap to Find Hosts

nmap -sP 192.168.0.1 <= Ping Scan

22

Network Mapping• Other Mapping Programs

Network Scanners

• Angry IP Scanner, http://www.angryziber.com/w/Home

• SuperScan http://www.foundstone.com/us/resources/proddesc/ superscan.htm

–Free Windows utility• fping http://www.fping.com • Free Unix scanner

23

FPingPing multiple IP addresses simultaneously

Command-line toolInput: multiple IP addresses

To enter a range of addresses -g option

Input file with addresses -f option

• fping is meant to be used in scripts and its output is

easy to parse

24

Fping on Ubuntu

$ sudo apt-get install fping$ sudo apt-get install fping

25

Angry IP Scanner

26

Network Mapping

• Traceroute– Goes by TTL field in IP header– Map path to each computer, overlay

results from each traceroute of target– Create a hypothetical network topology $ traceroute www.yahoo.com

27

Superscan 4.0

Traceroute of cs.uidaho.edu

28

Defense Against Network Mapping

• Use firewalls and packet filtering capabilities - routers or hosts

• At Internet Gateway, block incoming ICMP messages– Except for hosts meant to be public Web

servers– Can configure filters to allow specific IP’s

like your ISP to be able to send pings– Can filter ICMP Time Exceeded

messages too– Limits attacker information but also

network management too ... why traceroute does not work at EWU!!!

29

Port Scanning More

30

Scanning Basics - Ports• Each Machine

• TCP/IP stack has 65,536 TCP has 65,536 UDP ports

• Every Service connected to a port is a potential doorway into the machine for an attacker

• Attacker has list of official known port assignments –Internet Assigned Numbers Authority (IANA)

http://www.iana.org/assignments/port-numbers

–Wikipedia List of same thinghttp://en.wikipedia.org/wiki/

List_of_TCP_and_UDP_port_numbers

31

Scanning Basics - Ports

• Port numbers are divided into three ranges: – Well Known Ports – 0 – 1023

• Typically only for root or privileged processes

– Registered Ports - 1024 – 49151 • Registered known programs with IANA

– Dynamic and/or Private Ports 49152 – 65535

• Dynamic or ephemeral ports, assigned by programs for one-time connections – no known programs associated

32

Ports• Only root-privileged programs are allowed

to open the lower numbered ports, common programs:

• Examples• ftp-data 20/udp• ftp 21/tcp• ssh 22/tcp• telnet 23/tcp• Time 37/tcp• Time 37/udp• Whois 43/tcp• DNS 53/udp• Web 80/tcp• Imap 143/tcp

33

Ports

• A few ordinary programs which are registered ...– shockwave2 1257/tcp – shockwave2 1257/udp– ingreslock 1524/tcp ingres– ingreslock 1524/udp ingres– orasrv 1525/tcp oracle– orasrv 1525/udp oracle– x11 6000-6063/tcp – X Window System x11 6000-6063/udp

34

Ports and Port Scan Signature

• Signature of a Port scan–What does it look like?

• Several packets to different destination ports from the same source within a “short period” of time.

• Send TCP SYN to a non-listening port• Intrusion Detector like Snort can

inform us that we have been port-scanned

• What should we get back if port closed?

Syn Scan

36

Scanning Program - Nmap

• TCP Ack Scan • Use this scan to get by filtering rules • Many firewalls will filter initiating TCP

connections from the outside• Filter out packets with just Syn bit set

for an opening connection• To avoid filtering, Nmap offers an Ack

scan • Sets Ack bit on packets and filter

thinks its a response to an existing connection

ACK Scan in Wireshark

Many fast Connection Attempts

All have ACK bit set

38

Scanning Program - Nmap

• TCP Ack Scan– Nmap uses Ack scan to figure out which

ports are allowed unfiltered traffic by the firewall

– If get RST, means packet got through firewall, and port is open

• If no response, or• ICMP port unreachable,-> Nmap marks port as filtered

39

Nmap ACK Scan

Packet

Filter

Device

ACK dsk Port 1024

ACK dsk Port 1025

ACK dsk Port 1026

ResetProtected System Attacker

External NetworkInternal Network

40

Scanning Program - Nmap

• Nmap– Version scan – find hidden applications

• Smart administrators– Hide services behind odd port numbers – Or, applications can be run over other

services like SSL– Penguin.ewu.edu ssh runs at 9090

41

Scanning Program - Nmap

– Version scan• How it works

– Nmap starts with normal scan – Gathers list of open ports on a target– For TCP, completes the 3-way handshake,

waits for application to present itself– Many do banners– Try to match banner to internal DB Nmap

has– Why do we need to know application

versions?

42

More Scanning

• OS Identity by Stack Fingerprinting• Attacker needs to know OS and version• Looking for way into system

– What vulnerabilities does system have?

43

More Scanning• OS Identity - Stack Fingerprinting

• How and why does this work?• Nmap sends packets to various ports

including:– Syn packets to open ports and closed ports– Null packet to both open and closed ports– Ack packet to closed and open ports

Some implementations send RST in responseSome send nothing and some send ICMP port

unreachableNmap includes a DB of different system

responsesOver 1000 platforms

Attacks 44

Nmap Examples

nmap -v target.com Scans all TCP default ports on target.com; verbose

modenmap -sS -O target.com/24

First pings addresses in target network to find hosts that are up. Then scans default ports at these hosts; stealth mode (doesn’t complete the connections); tries to determine OS running on each scanned host

nmap -sX -p 22,53,110,143 198.116.*.1-127 Sends an Xmas tree scan to the first half of each of the

255 possible subnets in the 198.116/16. Testing whether the systems run ssh, DNS, pop3, or imap

nmap -v -p 80 *.*.2.3-5 finds all web servers on machines with IP

addresses ending in .2.3, .2.4, or .2.5

45

Scanning Defenses

• What can you do against Scanning?– Close down all unnecessary ports

• Find them first netstat –nao | grep “LISTENING”

in Windows XP– Shows listening ports and Process ID’s of

listening processes• Windows third party tools actually show

more informationFport – www.foundstone.comOpenPorts

http://diamondcs.com.au/consoletools/openports.php

Scanning Defenses

Linuxnetstat –nap finds in-use ports and PID’s

lsof –i shows all TCP/IP ports and associated files

lsof -p [pid]

47

Defenses Against Scanning

• On-line scanners can help ...• For people who want to do an on-line scan

their computers, there are several on-line siteshttp://www.auditmypc.comhttp://www.hackerwatch.org/probehttp://www.dslreports.com/tools?r=341

• Most do simple scans for obvious vulnerabilities

EtherapeView Active Connections Etherape

Is a graphical utility that allows you to see (in real-time) where connections are being made on your network, or between your network (or computer) and the Internet

If you are experiencing unexpected network activity on your computer or LAN and wish to see where the activity is occurring, this is an easy tool to use

http://etherape.sourceforge.net/

49

Scanning Defenses

• Once find all open ports– See if services are needed– If not, disable the service permanently

Start->Run …services.mscThen, click service, click Stop and set its

Startup type to Disabled

50

Scanning Defenses

• Linux continued– Disable services

• Comment out its line in /etc/inetd.conf • If started by xindetd, delete file in

/etc/xinetd.d/[service]• chkconfig --list is another way to see

services installed– Comes with Redhat, Mandrake and other

Linux versions (not Ubuntu), but can get it for Ubuntu

– Can type chkconfig [service] off

51

Scanning Defenses

• Stateful Packet Filtering– Will keep track of existing connections

• Typically has a connection table TCP connections

– Won’t allow ACK packets into the Network unless they belong to existing TCP conversation

• There must have been an earlier Syn packet • For FTP, must have been a control

connection set up already• Cover this more in depth when we cover

Firewalls

Summary

Scanning will result in a list of live machines

With a list of ports open or notAnd the services or programs running

at the portsNext, identify vulnerabilities in

running servicesCode or download exploits to gain

access !!!!

53

The End

Lab this week is Google HackingAssignment is Reconnaissance