Embed Size (px)
Citation preview
Reconnaissance & Scanning
By Letian Li
ISQS 6342 (Spring 2003)Professor John Durrett
Reconnaissance
Using a combination of tools and techniques to take an unknown quantity of information and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet. Low-Technology Reconnaissance Search the Fine Web Use search engines Whois Databases Domain Name System
Low-Technology Reconnaissance
Social Engineering Computer users must be trained not give
sensitive information away to a friendly caller. Physical Beak-in
A guard at the front door or a card reader checks all employees coming into a given facility.
Dumpster Diving A well used paper shredder is the best
defense against dumpster diving.
Search the Fine Web (STFW)
Searching an organization’s own web site The Fine Art of using search engines Listening in at the Virtual Watering Hole:
Usenet
Searching an organization’s own web site Employee’s contact information with phone
numbers. Clues about the corporate culture and
language. Business partners. Recent mergers and acquisitions. Technologies in use.
The Fine Art of using search engines
AltaVista Excite Google
Listening in at the Virtual Watering Hole: Usenet
Internet Usenet newsgroups are frequently used by employees to share information and ask questions. Reveals sensitive information. Web search engine such as
www.groups.google.com provides a massive archive of an enormous number of newsgroups.
Defenses against web-based Reconnaissance Establishing policies regarding what type of
information is allowed in your own web servers. Avoid including information about the products
used in your environment, particularly their configuration.
Policy regarding the use of newsgroups and mailing list by employees. Avoid posting information about system
configurations, business plans, and other sensitive topics.
Whois Databases: treasure Chests of Information Whois Databases contain a variety of data elements r
egarding the assignment of Internet addresses, Domain names, and individual contacts.
Researching .com, .net, and .org Domain Names. A complete list of all accredited registrars is available a
t www.internic.net/alpha.html. www.internic.net/whois.html
Allows a user to enter an organization’s name or domain name.
Researching Domain Names Other Than .com, .net, and .org. For organizations outside of the United States, a list ca
n find from www.allwhois.com/home.html.
IP Address Assignments through ARIN
American Registry for Internet Numbers. Contains all IP addresses assigned to particul
ar organization. Users can access the ARIN whois database at
http://www.arin.net/whois/index.html. European IP address assignments can be retr
ieved at www.ripe.net.
Defenses against Whois Searches
Database information that is useful for attackers should not be available to the public.
Can we use some erroneous or misleading registration information? You can quickly and easily get the contact info
rmation using whois searches. The whois database information let us inform
an administrator that their systems were being used in an attack.
Defenses against Whois Searches
There rally is no comprehensive defense to prevent attackers from gaining registration data.
The Domain Name System
DNS is a hierarchical database distributed around the world that store a variety of information, including IP addresses, domain names, and mail server information. DNS servers store this information and make up the
hierarchy.
Interrogating DNS Servers
nslookup command Windows Nt/2000 Most variations of Unix
host command Included with most variations of UNIX
dig command Included with some UNIX variants
Defenses from DNS-Based Reconnaissance Make sure you aren’t leaking information
unnecessarily through DNS servers. Restrict zone transfers. Use “split DNS” to limit the amount of DNS
information about your infrastructure.
We’ve got the registrar, now what?
Names: Complete registration information includes the administrative, technical, and billing contact names. An attacker can use this information to
deceive people in target organization during a social engineering attack.
Telephone numbers The telephone numbers associated with the
contacts can be used by an attacker in war-dialing attack.
We’ve got the registrar, now what? (cont.)
Email addresses: this information will indicate to an attacker the format of email addressed used in the target organization. The attacker will know how to address email
for any user. Postal addresses:
An attacker can use this geographic information to conduct dumpster-diving exercises or social engineering.
We’ve got the registrar, now what? (cont.)
Registration dates: Older registration records tends to be
inaccurate. A record that hasn’t been recently updated
may indicate an organization that is lax in maintaining their Internet connection.
Name severs: This incredibly useful field includes the
addresses for the Domain Name system servers for the target.
General Purpose Reconnaissance Tools
Sam Spade, a General-Purpose Reconnaissance Client Tool. One of the easiest to use and most functio
nal integrated reconnaissance suites available today.
Runs on Windows 9X, NT, and 2000. Available at www.samspade.org/ssw/
Sam Spade’s Capabilities
Ping: This tool will send an ICMP Echo request message to a target to see if it is alive and determine how long it takes it to respond.
Whois: Conduct Whois lookups using default Whois servers, or by allowing the user to specify which Whois database to use.
IP Block Whois: Used to determine who owns a particular set of IP addressed, using ARIN databases.
Nslookup: Querying a DNS server to find domain name to IP address mapping.
DNS Zone Transfer: Transfers all information about a given domain from the proper name serer.
Sam Spade’s Capabilities (cont.)
Traceroute: Return a list of router hops between the source machine and the chosen target.
Finger: Supports querying a system to determine its user list.
SMTP VRFY: Determine whether particular email addresses are valid on a giver email server.
Web browser: Sam Spade’s built-in mini browser lets its users view raw HTTP interaction, including all HTTP headers.
General Purpose Reconnaissance Tools (cont.)
Other client-based reconnaissance tools similar to Sam Spade include: cyberKit: A freeware tool fro Windows availabl
e at http://www.twpm.com/internet/downloads/cyberkit.htm
iNetScanTools: a feature-limited demonstration tool from windows and Macintosh, available at www.wildpackets.com/products/inettools
Web-Based reconnaissance tools: Research and Attack Portals www.samspade.org www.network-tools.com www.securityspace.com/ www.grc.com/x/ne.dll?bhobkyd2 www.doshelp.com/dostest.htm www.dslreports.com/r3/dsl/secureme
Scanning
Scanning phase is akin to a burglar turning doorknobs and trying to open windows to find a way into your house. Common techniques include: War Dialing Network Mapping Port Scan Vulnerability Scan
War Dialing
A war-dialing tool automates the task of dialing large pools of telephone numbers in an effort to find unprotected modems.
An attacker can scan in excess of a thousand telephone numbers in a single night using a single computer with a single phone line.
More computers and phone line make the scan even faster.
War Dialer vs. Demon Dialer
A war dialer is a tool used to scan a large pool of numbers to find modems and other interesting lines.
A demon dialer is a tool used to attack just one telephone number with a modem, guessing password after password in an attempt to gain access.
War dialing focuses in scanning a variety of telephone numbers, while demon dialing focuses in gaining access through a single telephone number.
A Toxic Recipe: Modems, remote Access Products, and Clueless Users By default, many of these remote control
products include no password for authentication.
Anyone dialing up to a system with war-dialer installed has complete control over the victim machine without providing even password.
We can discover modems connected to servers and routers that either request no password or have a trivial-to-guess password.
Finding Telephone Numbers to Feed into a War Dialer The phone book. The Internet. Whois databases. Your organization’s Web site. Social engineering.
War-Dialing Tools
THC-Scan 2.0. THC-Scan is one of the most full-featured, non
commercial war dialing tool available today. You can find it at
www.ussysadmin.com/modules.php?name=Downloads&d_op=search&query=
l0pht’s TBA War-Dialing Tool Available at www.l0pht.com
The War Dialer provides a List of Lines with Modems: Now What? The attacker may find systems without
password. The attacker will connect to such system, look through local files, and start to scan the net work.
If all of the discovered systems with modems are password protected, the attacker will then sort to password guessing.
Defenses against War Dialing
Modem policy. Dial-out only?
While this technique works quite well, some users have a business need that requires incoming dial-up modem access.
Find your modems before the attackers do. Use a commercial war dialer.
www.sandstorm.net www.securelogix.com
Desk-to-desk checks.
Network Mapping
Network mapping" is the effort to map Topology
How network components are connected to each other to build up the network.
Network devices Types, brands, versions etc.
Computers and services Computers and their placement, vendors and m
odels of running O.S.'s, published services
Common Network Mapping
Sweeping: Finding Live Hosts. Traceroute: What Are the Hops?
Sweeping: finding Live Hosts
ICMP Send an ICMP Echo Request packet to every
possible address. If a reply comes back, that address has an
active machine. But many networks block incoming ICMP
messages.
Sweeping: finding Live Hosts (cont.)
TCP/UDP An attacker could alternatively send a TCP or
UDP packet to a port that is commonly open, such as TCP port 80.
If nothing comes back, there may or may not be a machine there.
Traceroute: What Are the Hops?
Tracerouting relies on the Time-To-Live (TTL) field in the IP header.
Start with a TTL of one. This process continues with incrementally higher TTLs until reach the destination. ICMP Time Exceeded message has the router’s IP add
ress. Most UNIX varieties include a version for the traceroute program.
Windows NT and Windows 2000 include tracert program.
Cheops: A Nifty Network Mapper and General-Purpose Management Tool Available at www.marko.net/cheops Runs Linux.
Defenses against Network Mapping
Filter out the underlying messages that mapping tools rely on. At Internet gateway, block incoming ICMP me
ssages, except to hosts that you want the public to be able to ping.
Filter ICMP TIME Exceeded messages leaving your network to stymie an attacker using traceroute(tracert).
Determining Open Ports Using Port Scanners Discover the purpose of each system and lear
n potential entryways into your machines by analyzing which ports are open.
The attacker may focus on common services like telnet, FTP, email.
Free port-scanning tools: Nmap, at www.insecure.org/nmap/. Ultrascan. Strobe.
Nmap: A Full-Featured Port Scanning Tool A nice GUI for Nmap.
Common Type of Nmap Scans
TCP Connect TCP SYN Scans TCP FIN, Xmas Tree, and Null Scans TCP ACK Scans FTP Bounce Scans
The Polite scan: TCP Connect
Complete the TCP three-way handshake.
Connect scans are really easy to detect. The web server’s log file will indicate that a
connection was opened from the attacker’s IP address.
Attackers often use stealthier scan techniques.
A Little Stealthier: TCP SYN Scans
SYN scans stop two-thirds of the way through the handshake.
If the target port is closed, the attacker’s system will receive either no response, a RESET packet, or an ICMP Port unreachable packet, depending on the target machine type and network architecture.
Benefits: Stealthier. A true connection never occurs. Speed.
Violate the protocol Spec: TCP FIN, Xmas Tree, and Null Scans A FIN packet instructs the target system that
the connection should be torn down. A closed port should respond with a RESET. An open port will respond nothing.
Xmas Tree and Null scan are similar to FIN Scan.
Unfortunately, this technique does not work against Microsoft Windows-based systems.
Kicking the ball Past the Goalie: TCP ACK Scans
Obscure the Source: FTP Bounce Scans Some old FTP servers allow a user to connect to
them and request that the server send a file to another system.
Attacker opens a connection to a FTP server supporting the bounce feature.
The attacker’s tool requests that the innocent FTP server open a connection to a given port in the target system.
Innocent FTP then will tell the attacker the status of the port.
Don’t Forget UDP!
UDP does not have a three-way handshake, sequence numbers, or code bits.
Packets may be delivered out of order, and are not retransmitted if they are dropped.
False positives are common during UDP scan.
Setting Source Ports for a successful Scan TCP port 80 is a popular choice for a source
port, as the resulting traffic will appear to be coming from a Web server using HTTP.
Attackers also widely use TCP source port 25, which appears to be traffic from an Internet mail server using the SMTP protocol.
Another interesting option involves using a TCP source port of 20, which will look like an FTP-data connection.
Defenses against port Scanning
Harden your systems. Close all unused ports. For critical systems, delete the programs asso
ciated with the unneeded service. Find the Openings before the Attackers Do.
Scan your systems before an attacker does to verify all ports are closed except those that have a defined business need.
Add Some Intelligence: Use Stateful Packet Filters or Proxies.
Vulnerability Scanning Tools
A vulnerability-scanning tool will automatically check for the following types of vulnerabilities on the target system: Common configuration errors: Numerous
systems have poor configuration settings, leaving various openings for an attacker to gain access.
Default configuration weaknesses: default accounts and passwords.
Well-known system vulnerabilities: new security holes are discovered and published.
Vulnerability Scanning Defenses
Again, close all unused ports and apply patches to your systems.
Run the Tools against Your Own Networks. Use any one of the free or commercial tools. Be careful with denial-of-Service and Passw
ord Guessing Tests. You could damage your systems if you misconfig
ure the tools. Be sure to disable Denial-of-Service attacks, unle
ss you specifically want them. Password-guessing may lock out legitimate users.
Vulnerability Scanning Defenses
Be aware of Limitations of Vulnerability Scanning Tools. These tools only check for vulnerabilities that
they know about. You must be sure to keep the vulnerability
database up to date. These tools don’t really understand the
network architecture.
Intrusion Detection System
All of the scanning tools are incredibly noisy. A robust vulnerability scan could send hundre
ds of thousands or millions of packets to the target network.
A network-based IDS captures all data on the LAN, gathering packets associated with normal use of the network and attacks alike.
By matching attack signatures in their database, IDSs detect attacks.
Evade Network-Based Intrusion Detection Systems Mess with the appearance of traffic so it
doesn’t match the signature. Detection is based on signature matching, the
attackers can work hard to make sure their attacks don’t look like the signatures checked by the IDS.
IDS Evasion at the Network Level
A large IP packet is broken down into a series of fragments, each with its own IP header. To detect attaches, IDS needs to store, reassemble and analyze all of these fragments.
Use fragments: Older IDS cannot handle fragment resemble.
Send a flood of fragments: tie up all of the memory capacity of the IDS systems.
Fragment the packets in unexpected ways: fragment the packets in a variety of unusual ways.
IDS Evasion Defenses
Don’t despair: Utilize IDS Where appropriate. Keep the IDS System up to date. Utilize both Host-Based and Network-Based
IDS. A network-base IDS listens to the network
looking for attacks. A host-based IDS run on the end system that
is under attack.
References
Counter Hack, Ed Skoudis,Prentice-Hall,Inc. NJ, 2002
Hacking Exposed, McClure, Scambray, Kurtz, McGrawHill, Chicago, 2001
http://www.internic.net/alpha.html http://www.internic.net/whois.html http://www.alldomains.com/404.html http://www.arin.net/whois/index.html http://www.ripe.net/ http://www.scit.wlv.ac.uk/~jphb/comms/dns.html http://www.microsoft.com/technet/treeview/default.as
p?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_DNS_und_ZoneTransfers.asp
References (cont.)
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html
http://www.samspade.org/ssw/ http://www.freesoft.org/CIE/Topics/81.htm http://www.austin.rr.com/rrsec/computer_ports.html http://searchnetworking.techtarget.com/sDefinition/0,,
sid7_gci214184,00.html http://www.marko.net/cheops/ http://www.insecure.org/nmap/ http://www.security.pipex.net/stateful.html http://www.sei.cmu.edu/str/descriptions/firewalls_bod
y.html
