EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning

EECS 4980/6980: Computer Security Slide #1

EECS 4980/6980

Phase 1: Reconnaissance

Phase 2: Scanning


Topics

• Low Tech Reconnaissance• Network Information Sources• DNS Zone Transfers• Network Mapping• Port Scanning• Stealth Scanning• Version Identification• Defences• OS Fingerprinting


Reconnaissance

Collecting security-relevant information about an organization, including:– Locations– Related entities– Personnel: names, phone numbers, email addrs– Privacy or security policies– Network and system configuration– Remote access methods


Low Tech Reconnaissance

1. Social Engineering

2. Physical Break-In

3. Dumpster Diving


Social Engineering

Attacker uses pretext to deceive organization member into giving out confidential information.

Pretexts include personas and reasons:

Personas– New employee– Sysadmin– Manager

Reasons– Lost password– Contact name/phone– Reset password


Social Engineering Defences

• Security Policy– Secure method for password resets.– No requests for passwords.

• Security Awareness Program– Educate personnel about social attacks.– Educate personnel about security policy.


Physical Break-In

• Methods of Entry– Employment.– Enter on someone else’s coat tails.

• Physical Access– Already logged in system.– System with password written down nearby.– Install hardware/software key loggers.– Plug in laptop to Ethernet port.– Take removable media or even hard disks.


Physical Defences

• Security Policy– Personnel cannot enter without card.

– No coat-tailing.

– Policy for ID card replacement/temporary IDs.

• Security Mechanisms– Card reader access.

– Guards.

– Automatic screen locks after 5 minutes.

– Locked file cabinets/drawers.

– Encryption.


Dumpster Diving

Search trash for sensitive information– Usernames and passwords,– Phone directories,– Network diagrams, etc.

2000: Oracle hired IGI (a PI company) to investigate pro-Microsoft groups.– IGI searched trash to discover MS funding of

supposedly independent advocacy groups.


Defences Against Dumpster Diving

• Security Policy– Require special disposal of confidential data.– Includes paper, floppies, etc.

• Security Mechanisms– Paper shredder.– De-gausser.– Burning.


Information Resources• Organization web site

– Check HTML source for comments.– Check robots.txt for interesting files.

• Usenet postings– Search groups.google.com for “@org” postings– comp.security.*, comp.unix.*

• Search news sources about organization:– finance.yahoo.com– news.google.com– Edgar database (www.sec.gov/)

• Send email to invalid address @org– Identify mail server vendor and version.– Email server topology and antivirus defences.

http://www.sec.gov/


Google Hacking: Keywords

• site: for site-specific searches– site:orgname– keywords: dial, dialup, login, password– job postings listing required

programs/technologies

• link: find related sites– link:sitename

• cache: see deleted pages or old versions– cache:sitename


Google Hacking: Finding Directory Listings

intitle: for text in title, not body.– intitle:index.of “parent directory”– intitle:index.of name size

Combine with site: to specify your target.


Google Hacking: Finding Passwords

UNIX Passwords

intitle:"Index of..etc" passwd

MySql History (often includes passwords)

intitle:"Index of" .mysql_history

See Google Hack Database for more queries.


Domain Name Registration

• http://www.allwhois.com/• whois command

– wildcard search: “whois orgname.”

• Contact names: email, phone, address

• DNS servers


whoisDomain Name: LORAINCCC.EDU Registrant: Lorain County Community College

1005 North Abbe Road Elyria, OH 44035-1691

Contacts: Administrative Contact: Jeff B. Hurd

(440) 555-5555 [email protected]

Technical Contact: Norm D. Lease (440) 555-5556 [email protected]

Name Servers: LC3MS1.LORAIN.CC.OH.US NS1.OAR.NET NS2.OAR.NET

Domain record activated: 20-May-1996 Domain record last updated: 13-Aug-2002

http://www.verisign-grs.com/cgi-bin/whois?whois_nic=LC3MS1.LORAIN.CC.OH.US&type=nameserver

http://www.verisign-grs.com/cgi-bin/whois?whois_nic=NS1.OAR.NET&type=nameserver

http://www.verisign-grs.com/cgi-bin/whois?whois_nic=NS2.OAR.NET&type=nameserver


whois> host intel.comintel.com has address 198.175.96.33> whois 198.175.96.33[Querying whois.arin.net][whois.arin.net]Intel Corporation NETBLK-INTEL-IT (NET-198-175-64-0-1) 198.175.64.0 - 198.175.123.255Distributed Network Technical Support INTEL-IT33 (NET-

198-175-96-0-1) 198.175.96.0 - 198.175.96.255

# ARIN WHOIS database, last updated 2004-04-04 19:15# Enter ? for additional hints on searching ARIN's

WHOIS database.


Threats

• Social Engineering– Pose as administrative contact via phone/email to gain

information

• Wardialing– Search telephone exchange for modems

• Domain Hijacking– 1998 redirect of aol.com to autonete.net

• Further network investigation– DNS queries– Network scans of IP address space


DNS Zone Transfer

• List all DNS information for a domain– All hostnames with their IP addresses– MX records list mail servers and backups

• Commands– host –l –v –t any lorainccc.edu– nslookup

• set type=any• ls –d lorainccc.edu

• Defences– ACL for zone xfers only f/ secondary DNS servers– Separate internal and external DNS databases


Network Mapping

• DNS and whois searches have identified networks of interest.

• Next step: mapping the networks• traceroute

– explore network topology– identify firewalls

• ping scan– find currently up hosts


traceroute> traceroute www.eng.utoledo.edutraceroute to green.eng.utoledo.edu (131.183.18.5),

30 hops max, 38 byte packets 1 pc_elan (10.17.0.1) 2 lc3gw2 (10.50.0.83) 3 gwlcc.lorainccc.edu (192.232.30.1) 4 oeb10-sl1-0-2-1c0.columbus.oar.net (199.18.112.49) 5 oebc1-gigeth5-0-0.columbus.oar.net (199.18.199.1) 6 tlp3-atm1-0.toledo.oar.net (199.18.202.53) 7 utoledo-atm2-0s53.toledo.oar.net (199.18.111.230) 8 131.183.252.222 (131.183.252.222) 9 uc7500.utoledo.edu (131.183.1.198)10 cifshomedirs.eng.utoledo.edu (131.183.18.5)


Network Diagramming

• traceroute to multiple internal hosts– identify different paths– identify firewalls that prevent traceroute

• Draw map of network based on traceroutes

• Helpful Tools• firewalk: route tracing tool that bypasses many

firewall configurations that stop traceroute

• neotrace: geographic map of network route


Defences

• Firewalls– Restrict ingress of packet types commonly used

for network mapping, e.g. ICMP.

• Detection– IDS can detect network mapping attempts,

letting you know which IPs are mapping your network.


Ping Scanning

• Send IP packet to each IP address in a network, checking for responses.

• Scan types– ICMP echo– TCP port 80– TCP/UDP specific port– Fragmented packets


Ping Scanning> nmap -sP 10.17.0.0/24Starting nmap 3.50 (

http://www.insecure.org/nmap/ ) at 2004-04-05 13:57 EDT

Host pc_elan.lc3net (10.17.0.1) appears to be up.Host 10.17.0.31 appears to be up.Host 10.17.0.35 appears to be up.Host sun02 (10.17.0.55) appears to be up.Host sun09 (10.17.0.64) appears to be up.Host pc208p01 (10.17.0.66) appears to be up.Host sun14 (10.17.0.80) appears to be up.Host 10.17.0.241 appears to be up.Host 10.17.0.247 appears to be up.Nmap run completed -- 256 IP addresses (54 hosts

up) scanned in 4.510 seconds


Defences

• Firewalls– Refuse ICMP echo ingress.

– Restrict TCP ports to necessary servers• port 80 only to web server

• port 25 only to mail server

• Bypassing defences– Multiple sweeps with different target ports.

– ICMP timestamp and netmask request queries.

– Fragment scans.


Ping Scan vs Firewall

• Firewall Ruleset– pass from any to 10.0.17.31 port 53

– pass from any to 10.0.17.35 port 25

– drop all

• > nmap -sP 10.17.0.0/24Starting nmap 3.50 at 2004-04-05 13:57Nmap run completed -- 256 IP addresses (0 hosts up) scanned in 72.430 seconds


Ping Scan vs Firewall

• Firewall Ruleset– pass from any to 10.0.17.31 port 25 keep state– pass from any port 53 to any keep state– drop all

• > nmap -sP –PS25 10.17.0.0/24– bypasses first rule, finds any hosts listening on port 25

• > nmap -sP –g 53 10.17.0.0/24– bypasses second rule, as packets look like DNS

response


Port Scanning

Method of discovering exploitable communication channels by probing networked hosts to find which TCP and UDP ports they’re listening on.


nmap TCP connect() scan> nmap -sT at204m02(1645 ports scanned but not shown are in state: closed)PORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind443/tcp open https515/tcp open printer2049/tcp open nfs4045/tcp open lockd5432/tcp open postgres5901/tcp open vnc-16000/tcp open X1132775/tcp open sometimes-rpc13Nmap run completed -- 1 IP address (1 host up) scanned in

43.846 seconds


Scanning Techniques• TCP connect() scan• TCP SYN scan• TCP FIN scan• TCP Xmas scan• TCP Null scan• TCP ACK scan• Fragmentation Scan• FTP bounce scan• Idle Scan• UDP scan


TCP connect() scan

• Use connect() system call on each port, following normal TCP connection protocol (3-way handshake).

• connect() will succeed if port is listening.

• Advantages: fast, requires no privileges

• Disadvantages: easily detectable and blockable.


TCP SYN Scan

• Send SYN packet and wait for response– SYN+ACK

• Port is open

• Send RST to tear down connection

– RST

• Port is closed

• Advantage: less likely to be logged or blocked• Disadvantage: requires root privilege


TCP FIN scan• Send TCP FIN packet and wait for response

– No response• Port is open

– RST• Port is closed.

• Advantages: more stealthy than SYN scan• Disadvantages: MS Windows doesn’t follow

standard (RFC 793) and responds with RST in both cases, requires root privilege.


Xmas and Null Scans

• Similar to FIN scan with different flag settings.

• Xmas Scan: Sets FIN, URG, and PUSH flags.

• Null Scan: Turns off all TCP flags.


TCP ACK Scan

• Send TCP ACK packet to specified port– RST

• Port is unfiltered

– No response or ICMP unreachable• Port is filtered

• Used to determine if firewall is simple packet filter that blocks incoming SYN packets or whether it’s a stateful firewall.


Fragmentation Scan

• Modify TCP stealth scan (SYN, FIN, Xmas, NULL) to use tiny fragmented IP datagrams.

• Advantages: increases difficulty of scan detection and blocking.

• Disadvantages: does not work on all Oses, and may crash some firewalls/sniffers.


FTP Bounce Scan

• FTP protocol supports proxy ftp connections, allowing ftp client to request that a server send a file to any IP address.

• Advantages: bypass firewalls by using ftp server behind firewall as proxy for scans, hide identity of scanning host.

• Disadvantages: many ftp servers no longer support proxying.


Idle Scan• Use intermediate “idle” (zero traffic) host that

increments the IP identification header by one for each packet sent.

• Connect to idle host to obtain IP id.• Send SYN packet to port X of target host with

spoofed IP of idle host.• If port is open, target host will send SYN+ACK to

idle host.• Connect to idle host to obtain updated IP id

– If IP id incremented, port X on target was open• Advantage: no IP packets from your IP address


UDP Scan

• Send 0-byte UDP packet to each UDP port– ICMP port unreachable

• Port is closed– Nothing

• Assume port is open (packet may be lost)

• Advantages: Can discover UDP services• Disadvantages: Most hosts limit ICMP error rate

to a small number of packets/second (RFC 1812), making UDP scans of all 65535 ports very slow.– MS Windows doesn’t implement rate limiting.


Version Scanning

• Port scanning reveals which ports are open– Guess services on well-known ports.

• How can we do better?– Find what server: vendor and version– telnet/netcat to port and check for banner– Version scanning


Banner Checking> nc brahms.eecs.utoledo.edu 80GET / HTTP/1.1HTTP/1.1 400 Bad RequestDate: Tue, 06 Apr 2004 14:45:35 GMTServer: Apache/2.0.46 (Unix) PHP/4.3.2Content-Length: 325Connection: closeContent-Type: text/html; charset=iso-8859-1

<html><head><title>400 Bad Request</title></head><body>…<address>Apache/2.0.46 (Unix) PHP/4.3.2 Server at

brahms.eecs.utoledo.edu Port 80</address></body></html>


Version Scanning

1. If port is TCP, open connection.

2. Wait for service to identify self with banner.

3. If no identification or port is UDP, 1. Send probe string based on well-known service.

2. Check response against db of known results.

4. If no match, test all probe strings in list.


nmap version scan> nmap -sV at204m02(The 1645 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99)80/tcp open http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)111/tcp open rpcbind 2-4 (rpc #100000)443/tcp open ssl/http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)515/tcp open printer?2049/tcp open nfs 2-3 (rpc #100003)4045/tcp open nlockmgr 1-4 (rpc #100021)5432/tcp open postgres?5901/tcp open vnc VNC (protocol 3.3)6000/tcp open X11?32775/tcp open status 1 (rpc #100024)


Defences

• Detection– Network Intrusion Detection Systems.– Port scans often have distinct signatures.– NIDS can react to scan by blocking IP address.

• Prevention– Disable unnecessary services.– Filter packets entering network.– Filter packets on each host.


OS Fingerprinting

Identify OS by specific features of its TCP/IP network stack implementation.– Explore TCP/IP differences between OSes.– Build database of OS TCP/IP fingerprints.– Send set of specially tailored packets to host– Match results to identical fingerprint in db to

identify operating system type and version.• Xprobe uses fuzzy matching techniques.


nmap OS fingerprint examples> nmap –O at204m02...Device type: general purposeRunning: Sun Solaris 8OS details: Sun Solaris 8Uptime 10.035 days (since Sat Mar 27 08:59:38

2004)

> nmap –O 10.17.0.1…Device type: routerRunning: Bay Networks embeddedOS details: Bay Networks BLN-2 Network Router or

ASN Processor revision 9


OS Fingerprinting Techniques• FIN probe

– RFC 793 requires no response– MS Windows, BSDI, Cisco IOS send RST

• Bogus flag probe– Bit 7 of TCP flags unused– Linux <2.0.35 keeps flag set in response

• TCP ISN sampling– Different algorithms for TCP ISNs

• IP Identification– Different algorithms for incrementing IPID


OS Fingerprinting Techniques• TCP Timestamp

– Is it supported, and if so, at what rate is it incremented?

• Don’t Fragment bit– Some OSes send packets with Don’t Fragment set.

• TCP initial window size– Some OSes use unique initial window sizes.

• ACK value– Most OSes return ISN on FIN+PSH+URG packet, but

some return ISN+1


OS Fingerprinting Techniques

• Fragmentation Handling– Does first or second fragment of packet broken

into overlapping fragments take precedence?

• TCP Options– Does OS support all options?– Which options does OS set on reply?– What is the order of options and where is NOP

padding added?


OS Fingerprinting Techniques

Denial of Service attack– Launch DOS attacks in order from oldest to

newest, checking for which ones succeed.– OSes have different levels of protection against

DOS attacks depending on type and version.


Passive Fingerprinting

• Identify OSes of hosts on network by sniffing packets sent by each host.

• Use similar characteristics as active technique:– TTL

– MSS

– Initial Window Size

– Don’t Fragment bit

• Tools: p0f


Fingerprinting Defences

• Detection– NIDS

• Blocking– Firewalling– Some probes can’t be blocked.

• Deception– IPpersonality changes Linux TCP/IP stack

signature to that of another OS in nmap db.


Key Points

• Reconnaissance– Don’t forget about low tech means.– Organizations give away more information than

most expect.

• Port Scanning– Find more than just ports: versions, OSes.– TCP/IP implementation differences provide

much useful data.


References1. Matt Bishop, Introduction to Computer Security, Addison-Wesley,

2005.2. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and

Internet Security, 2nd edition, 2003.3. Fyodor, “The Art of Port Scanning,”

http://www.insecure.org/nmap/nmap_doc.html4. Fyodor, NMAP man page,

http://www.insecure.org/nmap/data/nmap_manpage.html5. Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,”

Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting-article.html

6. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.

7. Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004.8. Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3rd

edition, McGraw-Hill, 2001.9. Ed Skoudis, Counter Hack, Prentice Hall, 2002.

http://www.insecure.org/nmap/nmap_doc.html

http://www.insecure.org/nmap/data/nmap_manpage.html

Documents

EECS 4980/6980: Computer SecuritySlide #1 EECS 4980/6980 Phase 1: Reconnaissance Phase 2: Scanning