Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Techniques of Network Attacks and DefensesChapter 3: Reconnaissance/Scanning
Po-Ching Lin
Lifecycle of network attacks
Reconnaissance (footprint):discover the target as much as possible
Scanning:scan target systems looking for openings
Gaining access/ DoS:access or disable the target systems
Maintaining access:keep access and control the target systems
Covering tracks & hiding:quietly communicate and access the target systems
1 / 43
Reconnaissance: why and how?
Think about how bandits rob a bank
▶ Frequently visiting the target bank
▶ Recording the times the guards enter and leave
▶ Observing the location of security cameras
▶ Determining the alarm system vendors
▶ Planning a getaway route
But... Bank robbery is not so popular now...
Ways to reconnaissance (low/no technology)
▶ Social engineering
▶ Physical break
▶ Dumpster diving
2 / 43
Social engineering
What is social engineering?
▶ To leverage psychological manipulation to trick humans intomaking mistakes about security or disclosing confidentialinformation.
▶ To exploit the weakness of humans.
Common social engineering tricks
▶ Baiting: to lure a person by leaving physical media (e.g., thatwith malware) to pick up and use it.
▶ Phishing: typically to send email to trick the receiver intorevealing sensitive information.
▶ Spear-phishing: like phishing, but to focus on certain targetedreceipients.
▶ Impersonation: to pretend to be another person
3 / 43
Example of probably spear-phishing
Will you open the attached file?
▶ Perhaps no. But how about other people?
▶ The weakest point in your organization is the most dangerous.
▶ The attacker may investigate the receipient a lot to gain ahigher success rate.
4 / 43
Information leakage of relations
Figure: source: K. R. Macwan and S. J. Patel, “k-NMF Anonymization inSocial Network Data Publishing,” in The Computer Journal, vol. 61, no.4, pp. 601-613, April 2018.
▶ Social relations available from online social networks.
▶ Some privacy can be revealed involuntarily.
5 / 43
Even information more than 10 years ago
Available at https://www.archive.org
6 / 43
Physical break-in
(a) (b)
(c) (d)
See https://www.youtube.com/watch?v=M0m7y5S1mFU.
7 / 43
What if an access card is used?
A badge may be needed. You may learn to be like this...
8 / 43
Search the Web
Why searching the Web for reconnaissance?
▶ A huge number of public information on the Web
▶ Many search engines are available today
▶ All recon activities are legal
Google search engine
▶ Google bots
▶ Google index (PageRank)
▶ Google cache
▶ Google API
9 / 43
Precise search using Google
Google allows to retrieve only 1,000 results for each search – thesearch term should be as precise as possible.
Directive & Operator Purpose Search examplesite:[domain] The results associated
with a given domainLook for xxx in the CCUdomain, site:ccu.edu.tw
intitle:[term] Look for pages with ti-tles that contain thegiven term
See all titles with CCU,intitle:ccu
inurl:[term] Look for pages withURLs that contain thegiven term
See all URLs withpasswd, inurl:passwd
related:[site] All pages similar tothe given search page
See all pages similarto www.ccu.edu.tw, re-lated:www.cs.ccu.edu.tw
10 / 43
Precise search using Google (cont.)
Directive & Operator Purpose Search examplecache:[page] Displays the contents
of a Web page fromGoogle’s cache
Find the recent viewof www.ccu.edu.twin the cache,cache:www.ccu.edu.tw
filetype:[suffix] Search for only files ofa given type
Look for all pdf files, file-type:pdf
Literal matches (“ ”) Search for a literalmatch of the givensearch term
Look for “network secu-rity”, instead of “net-work” and “security”
Not (-) Filter out Web pagesthat include a giventerm
Find a popular term, butin rare use, jobs -apple
Plus (+) Google filters certaincommon words, say“the”
Look for “the” and“book”, +the book
11 / 43
Google hacking
Usefulness of Google directives and operators
▶ Attackers can combine various search directives and operatorsto find useful information.
▶ Use your imagination.
Example
▶ inurl:admin site:cs.ccu.edu.tw
▶ intitle:“Router Access” inurl:Router Login.asp
More information▶ Google Hacking Database (GHDB)
▶ Google Hacking for Penetration Testers, 3rd Edition
12 / 43
Searching an organization’s Web site
For social engineering
▶ Employee’s contact information
▶ Corporate culture and language
▶ Business partners
For weakness▶ Recent mergers and acquisitions
▶ Technologies in use▶ Open job requisitions, e.g., Looking for Checkpoint firewall
administrators
1. They use Checkpoint firewalls.2. They do not have experienced staff for those firewalls.
13 / 43
Newsgroups or Web forums
Why newsgroups and forums useful to attackers?▶ Employees may share information and ask questions, e.g.,
• How to configure a system?• How to get around software coding difficulties• Troubleshooting a problem
▶ Attackers may learn a lot from the information• The vendor products in use• The configuration of the system• The person responsible for the system
▶ Attackers may send a false advice to the requestor.
14 / 43
Defenses against Web search
▶ Do not put sensitive information on Web sites (even indirectory of strange name).
▶ Do not post sensitive information to newsgroups or forums,such as system configuration.
▶ Actively search to see whether there are any sensitiveinformation.
▶ Educate your staff.▶ Remove information from Google
• Add robots.txt in a Web server’s directory.• Use noindex metatag (not to include the page)• Use nofollow metatag (not to follow links in the page)• Use noarchive metatag (not to cache the page)• Use nosnippet metatag (not to grab summary snippets)• e.g., <meta name="robots" content="noindex" />• Ask Google to remove content, to link
15 / 43
More about robots.txt
Example
▶ Keep all robots out• User-agent: *• Disallow: /
▶ Tell all robots not to enter three directories• User-agent: *• Disallow:/cgi-bin/• Disallow:/images/• Disallow:/tmp
▶ Tell a specific robot not to enter a specific directory• User-agent: xxx• Disallow:/private/
Note: You also tell attackers what’s important!
16 / 43
Whois database
▶ A variety of data elements regarding the assignment ofdomain names, individual contacts, and even IP addresses
▶ Set up when you register your domain names at a registrar
▶ Can be directly looked up with the ‘whois’ command on UNIX
▶ Examples: ICANN Lookup, TWNIC whois
▶ Also use whois command in Linux
▶ Note: if only geographical location is needed, usegeoiplookup.
17 / 43
Defenses against whois searches
Why whois database?
▶ It looks unsafe. How about removing it or giving fakeinformation.
▶ Administrators use it to communicate other administratorsduring attack investigation.
▶ Therefore, the whois information should be precise and keptupdated.
Anonymous registration services
▶ Use contact information of registrars instead of yours.
▶ May slow down the contact. Speed is important.
▶ How to defend whois searches? Train your staff to avoidsocial engineering scams.
18 / 43
Interrogating with DNS servers
▶ Identify the DNS servers (e.g., through whois server)▶ Use command such as nslookup or dig
• Particularly for zone transfer (for secondary DNS servers toupdate from primary DNS servers)
• Use the following commands for zone transfer
server a.b.c.d // point to a DNS serverset type=any // look for any type of recordls -d domain name // show information of the domain
▶ Chances of zone transfer: Most will fail, but may still have achance for careless administrators.
19 / 43
Defenses from DNS-based reconnaissance
▶ No additional information such as OS types in the DNSresource records.
▶ Restrict zone transfer only from primary server to secondaryserver.
▶ Configure firewall to allow zone transfer from primary serverto secondary server (TCP port 53).
▶ Do not allow zone transfer from secondary server.
▶ Split DNS into internal DNS (for internal hosts) and externalDNS (for external servers).
20 / 43
Reconnaissance tool: recon-ng
▶ A full-featured reconnaissance framework to conduct opensource reconnaissance
▶ Look and feel similar to the Metasploit Framework
▶ Support a number of modules in the marketplace
[recon-ng][default] > marketplace search vulnerabilities
[*] Searching module index for ’vulnerabilities’...
+------------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+------------------------------------------------------------------------------------------------+
| recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | |
| recon/domains-vulnerabilities/xssed | 1.1 | not installed | 2020-10-18 | | |
| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |
| recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | |
| recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * |
+------------------------------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
21 / 43
Using the hackertarget module
[recon-ng][default] > marketplace info recon/domains-hosts/hackertarget
+---------------------------------------------------------------------------------------------------------------+
| path | recon/domains-hosts/hackertarget |
| name | HackerTarget Lookup |
| author | Michael Henriksen (@michenriksen) |
| version | 1.1 |
| last_updated | 2020-05-17 |
| description | Uses the HackerTarget.com API to find host names. Updates the ’hosts’ table with the results. |
| required_keys | [] |
| dependencies | [] |
| files | [] |
| status | not installed |
+---------------------------------------------------------------------------------------------------------------+
[recon-ng][default] > marketplace install recon/domains-hosts/hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
22 / 43
Using the hackertarget module (cont.)[recon-ng][default] > modules load recon/domains-hosts/hackertarget
[recon-ng][default][hackertarget] > info
Name: HackerTarget Lookup
Author: Michael Henriksen (@michenriksen)
Version: 1.1
Description:
Uses the HackerTarget.com API to find host names. Updates the ’hosts’ table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see ’info’ for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
[recon-ng][default][hackertarget] > options set SOURCE cs.ccu.edu.tw
SOURCE => cs.ccu.edu.tw
[recon-ng][default][hackertarget] > run
-------------
CS.CCU.EDU.TW
-------------
[*] Country: None
[*] Host: cs.ccu.edu.tw
[*] Ip_Address: 140.123.101.1
...
23 / 43
Social Engineering ToolkitSelect from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
99) Return back to the main menu.
set> 1
The Spearphishing module allows you to specially craft email messages and send
them to a large (or small) number of people with attached fileformat malicious
payloads. If you want to spoof your email address, be sure "Sendmail" is in-
stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
flag to SENDMAIL=ON.
There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!
1) Perform a Mass Email Attack
2) Create a FileFormat Payload
3) Create a Social-Engineering Template
99) Return to Main Menu
24 / 43
Shodan search engine
To search for various types of webcams, routers, servers, etc.connected to the Internet using various filters
25 / 43
Censys
To discover Internet assets
26 / 43
VirusTotal
To investigate a probably malicious IP address/file, etc.
27 / 43
Scanning the target
After reconnaissance, you have domain names, IP addresses,technical contact information, etc.
Reconnaissance vs. scanning
▶ Recon: casing the target for information
▶ Scanning: try to look for openings for entering
Scanning techniques
▶ Network mapping
▶ Determine open ports
▶ Enumeration
▶ Vulnerability scanning
28 / 43
Network mapping
Purpose of network mapping
▶ Understand network infrastructure, and discover critical hosts,routers, firewalls, etc.
▶ Begin from where the attackers can reach
Approaches to find live hosts
▶ Sweep through all possible IP addresses in the target networkwith ping (ICMP Echo request/response, map be blocked).
▶ Alternative tools• arping: probing by ARP packets• fping: higher performance when pinging multiple hosts• nping: for network packet generation, response analysis and
response time measurement• hping: support many probing functions of multiple protocols• zmap: fast single-packet network scanner optimized for
Internet-wide network surveys
29 / 43
Network mapping (cont.)
Find the routers along network path
▶ traceroute in UNIX or tracert in Windows
Defenses against network mapping
For ping, traceroute, etc., filter out the underlying messages usingfirewalls.
▶ incoming ICMP messages (only with some exceptions youwant, e.g., for public services or from certain ISPs.)
▶ Filter ICMP Time Exceeded messages leaving your network.You may find (***) when using traceroute. That’s it!
30 / 43
Determine open ports using port scanner
From addresses of live hosts to open ports
▶ Each host has 65,536 TCP ports and 65,536 UDP ports.
▶ An attacker can test for well-known port numbers first withport scanning.
Port scanning tools
▶ To scan a list of specific ports, a range of ports, and allpossible TCP and UDP ports
▶ Usually an impolite act (to avoid if unnecesary). Considerreconaissance approach like censys first.
▶ Well known open-source port scanner: nmap and zenmap(graphical front end)
31 / 43
Nmap: a port-scanning tool
nmap
▶ open source tool for network exploration and security auditing
▶ operations of nmap: sending packets to interact with eachport
Usage of nmap
▶ What hosts are available on the network?
▶ Which ports are open?
▶ What services (application name and version) those hosts areoffering?
▶ What operating systems (and OS versions) they are running?
▶ What type of packet filters/firewalls are in use?
32 / 43
States of scanned ports
open An application on the target machine is listening forconnections/packets on that port.
filtered A firewall, filter, or other network obstacle is blockingthe port so that Nmap cannot tell whether it is openor closed.
closed No application listening on the port.
unfiltered A port is responsive to Nmap’s probes, but Nmapcannot determine whether it is open or closed.
33 / 43
Example of nmap scanning# nmap -A -T4 scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.036s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
| 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
| 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_ 256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Nmap Project
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: bridge|general purpose
Running (JUST GUESSING): Oracle Virtualbox (97%), QEMU (92%)
OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu
Aggressive OS guesses: Oracle Virtualbox (97%), QEMU user mode network gateway (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.65 ms 10.0.2.2
2 0.66 ms scanme.nmap.org (45.33.32.156)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.26 seconds
34 / 43
TCP connect scan
option: -sT
▶ Complete three-way handshake with each target port usingthe connect system call
▶ Send out a SYN packet• port is open: get SYN-ACK response, and send out ACK to
complete and then FIN to terminate.• port is closed or filtered: get RST, ICMP port unreachable, or
no response
▶ Do not need root privilege
▶ Easy to detect for leaving an entry in the system orapplication log
▶ Use SYN scan instead if you have root privilege.
35 / 43
TCP SYN scan
option: -sS
▶ Highly efficient for fast scanning
▶ Use half-open scanning, but not full TCP connection▶ Send out only a SYN packet
• port is open: get SYN-ACK response, and send out RST toabort the connection.
• port is closed: get RST• port is filtered: get ICMP port unreachable or no response
36 / 43
TCP FIN, Xmas and null scan
option: -sF, -sX, -sN
▶ According to the rules in the TCP RFC• port is closed: an incoming segment not containing a RST
causes a RST to be sent in response.• port is open: an incoming segment without the SYN, RST, or
ACK bits set is dropped.
▶ FIN scan: sets just the TCP FIN bit
▶ Xmas scan: sets the FIN, PSH, and URG flags
▶ null scan: does not set any flag bits
▶ advanatage: good for sneaking through certain non-statefulfirewalls and packet filtering routers
▶ disadvantage: not all systems follow the RFC. Work for mostUnix-based systems.
37 / 43
TCP ACK scan
option: -sA
▶ Not to determine open (or even open|filtered) ports▶ Used to map out firewall rulesets, determining whether they
are stateful or not and which ports are filtered.
▶ When scanning unfiltered systems, open and closed ports willboth return a RST packet. Nmap then labels them asunfiltered.
▶ Ports that do not respond or send certain ICMP errormessages back are labeled filtered.
38 / 43
Idle scan (command)
Advantage: Stealthy TCP port scan in which no packets are sentto the target from the attacker’s real IP address
Principle of idle scan (option: -sI zombie host)
Leverage the IP identification field (increased by 1 for each sentpacket, e.g., in Windows) in the IP header.
Requirements of the blamed host
▶ Have predictable IP identification increase (ideally, 1)
▶ Mostly idle (so-called idle scan)
39 / 43
Idle scan (procedure)
attacker
target
blamed host
attacker
target
seems no traffic from attacker
blamed host
1. SYN
2. SYN+ACK, IP id=x
3. Remember x
4. SpoofedSYN to a given TCP port
7. SYN
8. SYN+ACK
5.SYN+ACK
6.RST,IP
id=x+
1
If IP id=x + 2, port is open; if IP id=x + 1, port is closed.
40 / 43
UDP scan
option: -sU
▶ Much harder than TCP scan▶ No three-way handshake, sequence numbers or control bits →
less reliable• port is open: a UDP packet may be returned (given the right
protocol request)• port is closed: may receive ICMP port unreachable
▶ For some common ports such as 53 and 161, aprotocol-specific payload is sent to increase response rate,
▶ but for most ports the packet is empty unless the --data,--data-string, or --data-length options are specified.
41 / 43
Verion detection
option: -sV
Probe open ports to determine service/version infoRelated options:
▶ –version-intensity <level>: Set from 0 (light) to 9 (try allprobes)
▶ –version-light: Limit to most likely probes (intensity 2)
▶ –version-all: Try every single probe (intensity 9)
▶ –version-trace: Show detailed version scan activity (fordebugging)
Nmap scan report for www.cs.ccu.edu.tw (140.123.101.3)
Host is up (0.031s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
42 / 43
Additional techniques
option: -g/--source-port <portnum>
Setting source ports for a successful scan
▶ Port scan may need to pass a firewall.
▶ It could choose right source ports to enter a stateless firewall,e.g., port 80.
-D decoy1[,decoy2][,ME][,...]
Cloak a scan with decoys
▶ Makes it appear to the remote host that the host(s) youspecify as decoys are scanning the target network too.
▶ Note: one of the source address must be real to get the result.
▶ Which source address is real? Making investigation harder.
43 / 43