1
CSCD434
Lecture 8Spring 2014
Scanning ActivitiesNetwork Mapping and Scanning
Review
• Recall where we are going–Phases of Attack1. Reconnaissance2. Scanning
Finding machines and servicesVulnerability Scanning
3. Gaining Access – Attacks4. Maintaining Access5. Covering Tracks and Hiding
Assume Attacker is Serious
In previous slide … Attacker is dedicated and serious Wants to access systems to make
money Will dedicate time and resources to
accomplish goals
Scanning
• After Reconnaissance (whois, google hacks, dig)– What do Attackers Know?
• IP Addresses of network• Domain names,• Technical contact information• Telephone numbers,• Physical address• Mail servers, possible operating systems
servers
Scanning
• What more do they need before attacking?– Two Levels of Information1. Map of your network, Network Mapping
• Ideally, location of every internal machine with sensitive information
• Company Data Bases,• Critical servers, Intranet machines• Firewalls, • Intrusion Detection Systems,• and Routers
Scanning
2. Services running on each host
Port Scanning
–Services and OS's• Server services
– DNS, Web, Mail, FTP, Database,– File Servers – NFS
• Operating Systems– Cisco, Windows, Vista, Linux, Mac
others ...
Scanning
• Why do we (hackers) need to identify computer Services?
8
Introduction to Port Scanning
Port Scanning Finds out which services are offered by a host
Identifies vulnerabilities Open services
Identify a vulnerable port Launch an exploit
Scan all ports Not just well-known ports
Ping Scan Is the simplest scan to find out if the machine is even up
9
Introduction to Port Scanning
Port scanning programs report Open ports Closed ports Filtered ports Best-guess assessment of which OS is running
Types of Port Scanning TCP SYN Scanning – “half open” scanning
Sends a SYN packet to each remote port. Open ports respond with a SYN/ACK packet Closed ports usually respond with an RST packet.
TCP FIN Scanning – Sends a FIN packet (normally sent to clear connection when conversation is finished)
Closed ports usually respond with an RST packet Open ports usually ignore FIN packets.
UDP Scanning – more difficult than TCP since UDP services may not respond
If a ICMP “port unreachable” message is received, however, it is an indication the service is NOT running.
Types of Port Scanning
Fragmentation Scanning – break scan up into several smaller packets
This may result in being able to hide the scan from firewalls and IDS.
Relay or bounce scanning – send scan through another system (proxy or forwarding gateway)
May confuse/hide origin of attack Decoy scanning – send a large number of spoofed
packets along with your real one So they hide the real scan
12
Examples of Scans
13
Normal TCP Handshake
Client SYN ServerClient SYN/ACK ServerClient ACK Server
Client
After this, you are ready to send data
14
SYN Port Scan
Client SYN ServerClient SYN/ACK ServerClient RST Server
Client
The server is ready, but the client decided not to complete the handshake
15
Types of Port Scans
SYN scan more details Stealthy scan, because session handshakes are never completed
Keeps it out of some log files Three states
Closed
Open
Filtered Filtered means that firewall, filter, or other network
obstacle is blocking port so that Nmap cannot tell whether it is open or closed
16
Types of Port Scans
Connect scan Completes the three-way handshake Not stealthy--appears in log files Three states
Closed
Open
Filtered
17
Types of Port Scans
NULL scan All packet flags are turned off Two results
Closed ports reply with RST
Open or filtered ports give no response
18
Types of Port Scans
Ping Scan Simplest method sends ICMP ECHO REQUEST to the destination(s)
TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap)
Any response shows the target is up It is this one that is used mostly for Network Mapping
Examples follow ...
19
Network Mapping
20
Network Mapping
• Looking for ...
– Looking for critical hosts, routers, firewalls
– If no prior knowledge, will begin by scanning machines that can be reached
• Web, Mail, Ftp, DNS servers
– Probe systems trying to understand Internet perimeter
– If internal knowledge, start scanning and mapping network
21
Network Mapping• Can ping all possible hosts on your network
using Nmap, http://www.insecure.org• Reference Guide http://nmap.org/book/man.html
• Send an ICMP echo request– Looking for a response to a ping
• ICMP echo reply– What if ICMP messages are blocked?
• Could send TCP packets to commonly open ports Web - 80 or email - 25 $ nmap –PT80 192.168.0.1 <= TCP Ping ScanUse nmap to Find Hosts
nmap -sP 192.168.0.1 <= Ping Scan
22
Network Mapping• Other Mapping Programs
Network Scanners
• Angry IP Scanner, http://www.angryziber.com/w/Home
• SuperScan http://www.foundstone.com/us/resources/proddesc/ superscan.htm
–Free Windows utility• fping http://www.fping.com • Free Unix scanner
23
FPingPing multiple IP addresses simultaneously
Command-line toolInput: multiple IP addresses
To enter a range of addresses -g option
Input file with addresses -f option
• fping is meant to be used in scripts and its output is
easy to parse
24
Fping on Ubuntu
$ sudo apt-get install fping$ sudo apt-get install fping
25
Angry IP Scanner
26
Network Mapping
• Traceroute– Goes by TTL field in IP header– Map path to each computer, overlay
results from each traceroute of target– Create a hypothetical network topology $ traceroute www.yahoo.com
27
Superscan 4.0
Traceroute of cs.uidaho.edu
28
Defense Against Network Mapping
• Use firewalls and packet filtering capabilities - routers or hosts
• At Internet Gateway, block incoming ICMP messages– Except for hosts meant to be public Web
servers– Can configure filters to allow specific IP’s
like your ISP to be able to send pings– Can filter ICMP Time Exceeded
messages too– Limits attacker information but also
network management too ... why traceroute does not work at EWU!!!
29
Port Scanning More
30
Scanning Basics - Ports• Each Machine
• TCP/IP stack has 65,536 TCP has 65,536 UDP ports
• Every Service connected to a port is a potential doorway into the machine for an attacker
• Attacker has list of official known port assignments –Internet Assigned Numbers Authority (IANA)
http://www.iana.org/assignments/port-numbers
–Wikipedia List of same thinghttp://en.wikipedia.org/wiki/
List_of_TCP_and_UDP_port_numbers
31
Scanning Basics - Ports
• Port numbers are divided into three ranges: – Well Known Ports – 0 – 1023
• Typically only for root or privileged processes
– Registered Ports - 1024 – 49151 • Registered known programs with IANA
– Dynamic and/or Private Ports 49152 – 65535
• Dynamic or ephemeral ports, assigned by programs for one-time connections – no known programs associated
32
Ports• Only root-privileged programs are allowed
to open the lower numbered ports, common programs:
• Examples• ftp-data 20/udp• ftp 21/tcp• ssh 22/tcp• telnet 23/tcp• Time 37/tcp• Time 37/udp• Whois 43/tcp• DNS 53/udp• Web 80/tcp• Imap 143/tcp
33
Ports
• A few ordinary programs which are registered ...– shockwave2 1257/tcp – shockwave2 1257/udp– ingreslock 1524/tcp ingres– ingreslock 1524/udp ingres– orasrv 1525/tcp oracle– orasrv 1525/udp oracle– x11 6000-6063/tcp – X Window System x11 6000-6063/udp
34
Ports and Port Scan Signature
• Signature of a Port scan–What does it look like?
• Several packets to different destination ports from the same source within a “short period” of time.
• Send TCP SYN to a non-listening port• Intrusion Detector like Snort can
inform us that we have been port-scanned
• What should we get back if port closed?
Syn Scan
36
Scanning Program - Nmap
• TCP Ack Scan • Use this scan to get by filtering rules • Many firewalls will filter initiating TCP
connections from the outside• Filter out packets with just Syn bit set
for an opening connection• To avoid filtering, Nmap offers an Ack
scan • Sets Ack bit on packets and filter
thinks its a response to an existing connection
ACK Scan in Wireshark
Many fast Connection Attempts
All have ACK bit set
38
Scanning Program - Nmap
• TCP Ack Scan– Nmap uses Ack scan to figure out which
ports are allowed unfiltered traffic by the firewall
– If get RST, means packet got through firewall, and port is open
• If no response, or• ICMP port unreachable,-> Nmap marks port as filtered
39
Nmap ACK Scan
Packet
Filter
Device
ACK dsk Port 1024
ACK dsk Port 1025
ACK dsk Port 1026
ResetProtected System Attacker
External NetworkInternal Network
40
Scanning Program - Nmap
• Nmap– Version scan – find hidden applications
• Smart administrators– Hide services behind odd port numbers – Or, applications can be run over other
services like SSL– Penguin.ewu.edu ssh runs at 9090
41
Scanning Program - Nmap
– Version scan• How it works
– Nmap starts with normal scan – Gathers list of open ports on a target– For TCP, completes the 3-way handshake,
waits for application to present itself– Many do banners– Try to match banner to internal DB Nmap
has– Why do we need to know application
versions?
42
More Scanning
• OS Identity by Stack Fingerprinting• Attacker needs to know OS and version• Looking for way into system
– What vulnerabilities does system have?
43
More Scanning• OS Identity - Stack Fingerprinting
• How and why does this work?• Nmap sends packets to various ports
including:– Syn packets to open ports and closed ports– Null packet to both open and closed ports– Ack packet to closed and open ports
Some implementations send RST in responseSome send nothing and some send ICMP port
unreachableNmap includes a DB of different system
responsesOver 1000 platforms
Attacks 44
Nmap Examples
nmap -v target.com Scans all TCP default ports on target.com; verbose
modenmap -sS -O target.com/24
First pings addresses in target network to find hosts that are up. Then scans default ports at these hosts; stealth mode (doesn’t complete the connections); tries to determine OS running on each scanned host
nmap -sX -p 22,53,110,143 198.116.*.1-127 Sends an Xmas tree scan to the first half of each of the
255 possible subnets in the 198.116/16. Testing whether the systems run ssh, DNS, pop3, or imap
nmap -v -p 80 *.*.2.3-5 finds all web servers on machines with IP
addresses ending in .2.3, .2.4, or .2.5
45
Scanning Defenses
• What can you do against Scanning?– Close down all unnecessary ports
• Find them first netstat –nao | grep “LISTENING”
in Windows XP– Shows listening ports and Process ID’s of
listening processes• Windows third party tools actually show
more informationFport – www.foundstone.comOpenPorts
http://diamondcs.com.au/consoletools/openports.php
Scanning Defenses
Linuxnetstat –nap finds in-use ports and PID’s
lsof –i shows all TCP/IP ports and associated files
lsof -p [pid]
47
Defenses Against Scanning
• On-line scanners can help ...• For people who want to do an on-line scan
their computers, there are several on-line siteshttp://www.auditmypc.comhttp://www.hackerwatch.org/probehttp://www.dslreports.com/tools?r=341
• Most do simple scans for obvious vulnerabilities
EtherapeView Active Connections Etherape
Is a graphical utility that allows you to see (in real-time) where connections are being made on your network, or between your network (or computer) and the Internet
If you are experiencing unexpected network activity on your computer or LAN and wish to see where the activity is occurring, this is an easy tool to use
http://etherape.sourceforge.net/
49
Scanning Defenses
• Once find all open ports– See if services are needed– If not, disable the service permanently
Start->Run …services.mscThen, click service, click Stop and set its
Startup type to Disabled
50
Scanning Defenses
• Linux continued– Disable services
• Comment out its line in /etc/inetd.conf • If started by xindetd, delete file in
/etc/xinetd.d/[service]• chkconfig --list is another way to see
services installed– Comes with Redhat, Mandrake and other
Linux versions (not Ubuntu), but can get it for Ubuntu
– Can type chkconfig [service] off
51
Scanning Defenses
• Stateful Packet Filtering– Will keep track of existing connections
• Typically has a connection table TCP connections
– Won’t allow ACK packets into the Network unless they belong to existing TCP conversation
• There must have been an earlier Syn packet • For FTP, must have been a control
connection set up already• Cover this more in depth when we cover
Firewalls
Summary
Scanning will result in a list of live machines
With a list of ports open or notAnd the services or programs running
at the portsNext, identify vulnerabilities in
running servicesCode or download exploits to gain
access !!!!
53
The End
Lab this week is Google HackingAssignment is Reconnaissance