scanning & enumeration lab 3 once attacker knows who to attack, and knows some of what is there...
TRANSCRIPT
Scanning & EnumerationScanning & EnumerationLab 3
Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is to figure out the rest of the network and its vulnerabilities.
Network Scanning and Network Scanning and EnumerationEnumerationThe process of collecting information about
computers (assets) available on a network by either by◦ listening to network traffic, or◦ probing the network by sending traffic and
observing what traffic is returned as a result.
◦ E.g. scan looking for IP addresses (ping)
◦ Once you figure out what is there, then you can attack it appropriately Scan for ports to see what services are available, and then
apply appropriate exploits Scan for user names and passwords, unused accounts, etc.
2
Port and Vulnerability Port and Vulnerability ScanningScanningOnce you know a device is present, what
are its vulnerabilities? ◦ Apply some programs to check all ports,
looking for open ports Some services running on certain ports have
known vulnerabilities http://www.faqs.org/faqs/computer-security/most-com
mon-qs/section-21.html http://en.wikipedia.org/wiki/Portscanning
◦ Or you can apply some programs that specifically look for vulnerabilities (combo of network, port and vulnerability scan)
3
Scanning ProgramsScanning Programs Tools used to identify what computers are active on a
network, and which ports and services are available on each computer.◦ Verify which IP addresses are active on a network
ping sweep◦ Determine what services are available from each system
port scan Note: port scanning may be illegal in some states
Examples:◦ nmap (http://nmap.org/)◦ unicornscan (http://www.unicornscan.org/)◦ superscan (http://www.snapfiles.com/get/superscan.html)◦ nessus (http://www.nessus.org/nessus/)◦ fping (http://fping.sourceforge.net/), hping (
http://www.hping.org/)
4
Caveat: tools have their own Caveat: tools have their own footprints - but not alwaysfootprints - but not always “While Nmap attempts to produce accurate results, keep in
mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap.
Much more common are non-RFC-compliant hosts that do not respond as they should to Nmap probes. FIN,
NULL, and Xmas scans are particularly susceptible to this problem. Such issues are specific to certain scan types and so are discussed in the individual scan type entries.”
“Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scanflags option allows you to design your own scan by specifying arbitrary TCP flags. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules!”
5
Different kinds of scans Different kinds of scans explainedexplainedhttp://nmap.org/book/man-port-s
canning-techniques.html
6
Internet Control Message Protocol Internet Control Message Protocol (ICMP)(ICMP)Allow servers to communicate with each other
and report errors to ensure that network paths are working properly.◦ The PING utility is based on the use of ICMP echo
requests and echo replies.◦ PING is used to verify whether another network
host is accessible.
7
UDP Scanning (UDP UDP Scanning (UDP Protocol)Protocol)Sending UDP packets to a target host to
determine what UDP ports are open.◦ A sequence of packets is sent to a series of
different UDP port numbers to test the availability of each port.
◦ If the UDP port is OPEN on the target host, no reply is sent.
◦ If the UDP port is NOT OPEN, an ICMP Destination Unreachable packet is sent in response to the probe.
8
TCP Scanning (TCP TCP Scanning (TCP Protocol)Protocol)Based on various features of TCP.Some of the features used for scanning and
enumeration include:◦ Opening a TCP connection (3-way handshake)◦ Closing a TCP connection◦ TCP connection reset◦ TCP null scan
9
TCP 3-way handshakeTCP 3-way handshakeUsed to establish a TCP connection.Packet sequence for 3-way handshake
◦ SYN segment - requests a connection (e.g., with a server)
◦ SYN-ACK - acknowledges the (client's) SYN information and provides the (server's) information for establishing the connection.
◦ ACK - acknowledges the (server's) informationThis process can be used to determine which
TCP ports are open on a server.
10
Closing a TCP ConnectionClosing a TCP ConnectionUses a modified 3-way handshake
◦ FIN - indicates that either host (e.g., Host B) has finished sending data and is ready to close the connection.
◦ ACK Host A acknowledges receipt of the FIN. Connection is "half-closed" at this point. Host B transmits no more data.
◦ FIN Host A indicates itis now ready to close the connection.
◦ ACK Host B acknowledge's A's FIN. The connection is closed when Host A receives the
final ACK from Host B.
11
TCP Connection ResetTCP Connection ResetAllows an application to disconnect from a
connection in abnormal circumstances.Either host initiates by sending a TCP segment
with the RST bit set.Receiving host immediately aborts the
connection and informs the application program that a reset has occurred.
12
Some Types of TCP Port Some Types of TCP Port ScansScansSYN scan
◦ Send SYN packet◦ If port closed, target responds with RST/ACK◦ If port open, target responds with SYN/ACK
Sender sends RST/ACK to close connectionConnect scan
◦ Similar to SYN scan – completes 3-way handshake
◦ Connection is establishedNULL scan
◦ Send packet will all flags OFF◦ If destination port open, no response sent◦ If destination port closed, RST packet sent
13
EnumerationEnumeration The process of extracting information from a network:
◦ Resources or shares available on the network Determine OS using fingerprinting/scanning
◦ User names or groups assigned on the network◦ The last time a user logged on as well as his/her
passwordhttp://en.wikipedia.org/wiki/Network_Scanner Tools
◦ NBTscan (http://www.inetcat.net/software/nbtscan.html)◦ NetScanTools Pro (http://www.netscantools.com/ )◦ Hyena (http://www.systemtools.com/hyena/?
source=google3D)◦ Finger (http://en.wikipedia.org/wiki/Finger_protocol)◦ IKE-Scan (http://www.nta-monitor.com/tools/ike-scan/ )
14
Vulnerability ScannersVulnerability ScannersPrograms designed to search for and map
systems to look for weaknesses in an application, computer or network.
http://en.wikipedia.org/wiki/Vulnerability_scannerhttp://en.wikipedia.org/wiki/
Web_Application_Security_ScannerTools
◦ nessus (http://www.nessus.org/nessus/ )
◦ SAINT (http://www.eeye.com/html/Products/Retina/index.html)
◦ Microsoft Baseline Security Analyzer (http://technet.microsoft.com/en-us/security/cc184924.aspx)
15