Techniques of Network Attacks and DefensesChapter 3: Reconnaissance/Scanning

Po-Ching Lin

Lifecycle of network attacks

Reconnaissance (footprint):discover the target as much as possible

Scanning:scan target systems looking for openings

Gaining access/ DoS:access or disable the target systems

Maintaining access:keep access and control the target systems

Covering tracks & hiding:quietly communicate and access the target systems

1 / 43

Reconnaissance: why and how?

Think about how bandits rob a bank

▶ Frequently visiting the target bank

▶ Recording the times the guards enter and leave

▶ Observing the location of security cameras

▶ Determining the alarm system vendors

▶ Planning a getaway route

But... Bank robbery is not so popular now...

Ways to reconnaissance (low/no technology)

▶ Social engineering

▶ Physical break

▶ Dumpster diving

2 / 43

Social engineering

What is social engineering?

▶ To leverage psychological manipulation to trick humans intomaking mistakes about security or disclosing confidentialinformation.

▶ To exploit the weakness of humans.

Common social engineering tricks

▶ Baiting: to lure a person by leaving physical media (e.g., thatwith malware) to pick up and use it.

▶ Phishing: typically to send email to trick the receiver intorevealing sensitive information.

▶ Spear-phishing: like phishing, but to focus on certain targetedreceipients.

▶ Impersonation: to pretend to be another person

3 / 43

Example of probably spear-phishing

Will you open the attached file?

▶ Perhaps no. But how about other people?

▶ The weakest point in your organization is the most dangerous.

▶ The attacker may investigate the receipient a lot to gain ahigher success rate.

4 / 43

Information leakage of relations

Figure: source: K. R. Macwan and S. J. Patel, “k-NMF Anonymization inSocial Network Data Publishing,” in The Computer Journal, vol. 61, no.4, pp. 601-613, April 2018.

▶ Social relations available from online social networks.

▶ Some privacy can be revealed involuntarily.

5 / 43

Even information more than 10 years ago

Available at https://www.archive.org

6 / 43

Physical break-in

(a) (b)

(c) (d)

See https://www.youtube.com/watch?v=M0m7y5S1mFU.

7 / 43

What if an access card is used?

A badge may be needed. You may learn to be like this...

8 / 43

Search the Web

Why searching the Web for reconnaissance?

▶ A huge number of public information on the Web

▶ Many search engines are available today

▶ All recon activities are legal

Google search engine

▶ Google bots

▶ Google index (PageRank)

▶ Google cache

▶ Google API

9 / 43

Precise search using Google

Google allows to retrieve only 1,000 results for each search – thesearch term should be as precise as possible.

Directive & Operator Purpose Search examplesite:[domain] The results associated

with a given domainLook for xxx in the CCUdomain, site:ccu.edu.tw

intitle:[term] Look for pages with ti-tles that contain thegiven term

See all titles with CCU,intitle:ccu

inurl:[term] Look for pages withURLs that contain thegiven term

See all URLs withpasswd, inurl:passwd

related:[site] All pages similar tothe given search page

See all pages similarto www.ccu.edu.tw, re-lated:www.cs.ccu.edu.tw

10 / 43

Precise search using Google (cont.)

Directive & Operator Purpose Search examplecache:[page] Displays the contents

of a Web page fromGoogle’s cache

Find the recent viewof www.ccu.edu.twin the cache,cache:www.ccu.edu.tw

filetype:[suffix] Search for only files ofa given type

Look for all pdf files, file-type:pdf

Literal matches (“ ”) Search for a literalmatch of the givensearch term

Look for “network secu-rity”, instead of “net-work” and “security”

Not (-) Filter out Web pagesthat include a giventerm

Find a popular term, butin rare use, jobs -apple

Plus (+) Google filters certaincommon words, say“the”

Look for “the” and“book”, +the book

11 / 43

Google hacking

Usefulness of Google directives and operators

▶ Attackers can combine various search directives and operatorsto find useful information.

▶ Use your imagination.

Example

▶ inurl:admin site:cs.ccu.edu.tw

▶ intitle:“Router Access” inurl:Router Login.asp

More information▶ Google Hacking Database (GHDB)

▶ Google Hacking for Penetration Testers, 3rd Edition

12 / 43

Searching an organization’s Web site

For social engineering

▶ Employee’s contact information

▶ Corporate culture and language

▶ Business partners

For weakness▶ Recent mergers and acquisitions

▶ Technologies in use▶ Open job requisitions, e.g., Looking for Checkpoint firewall

administrators

1. They use Checkpoint firewalls.2. They do not have experienced staff for those firewalls.

13 / 43

Newsgroups or Web forums

Why newsgroups and forums useful to attackers?▶ Employees may share information and ask questions, e.g.,

• How to configure a system?• How to get around software coding difficulties• Troubleshooting a problem

▶ Attackers may learn a lot from the information• The vendor products in use• The configuration of the system• The person responsible for the system

▶ Attackers may send a false advice to the requestor.

14 / 43

Defenses against Web search

▶ Do not put sensitive information on Web sites (even indirectory of strange name).

▶ Do not post sensitive information to newsgroups or forums,such as system configuration.

▶ Actively search to see whether there are any sensitiveinformation.

▶ Educate your staff.▶ Remove information from Google

• Add robots.txt in a Web server’s directory.• Use noindex metatag (not to include the page)• Use nofollow metatag (not to follow links in the page)• Use noarchive metatag (not to cache the page)• Use nosnippet metatag (not to grab summary snippets)• e.g., <meta name="robots" content="noindex" />• Ask Google to remove content, to link

15 / 43

More about robots.txt

Example

▶ Keep all robots out• User-agent: *• Disallow: /

▶ Tell all robots not to enter three directories• User-agent: *• Disallow:/cgi-bin/• Disallow:/images/• Disallow:/tmp

▶ Tell a specific robot not to enter a specific directory• User-agent: xxx• Disallow:/private/

Note: You also tell attackers what’s important!

16 / 43

Whois database

▶ A variety of data elements regarding the assignment ofdomain names, individual contacts, and even IP addresses

▶ Set up when you register your domain names at a registrar

▶ Can be directly looked up with the ‘whois’ command on UNIX

▶ Examples: ICANN Lookup, TWNIC whois

▶ Also use whois command in Linux

▶ Note: if only geographical location is needed, usegeoiplookup.

17 / 43

Defenses against whois searches

Why whois database?

▶ It looks unsafe. How about removing it or giving fakeinformation.

▶ Administrators use it to communicate other administratorsduring attack investigation.

▶ Therefore, the whois information should be precise and keptupdated.

Anonymous registration services

▶ Use contact information of registrars instead of yours.

▶ May slow down the contact. Speed is important.

▶ How to defend whois searches? Train your staff to avoidsocial engineering scams.

18 / 43

Interrogating with DNS servers

▶ Identify the DNS servers (e.g., through whois server)▶ Use command such as nslookup or dig

• Particularly for zone transfer (for secondary DNS servers toupdate from primary DNS servers)

• Use the following commands for zone transfer

server a.b.c.d // point to a DNS serverset type=any // look for any type of recordls -d domain name // show information of the domain

▶ Chances of zone transfer: Most will fail, but may still have achance for careless administrators.

19 / 43

Defenses from DNS-based reconnaissance

▶ No additional information such as OS types in the DNSresource records.

▶ Restrict zone transfer only from primary server to secondaryserver.

▶ Configure firewall to allow zone transfer from primary serverto secondary server (TCP port 53).

▶ Do not allow zone transfer from secondary server.

▶ Split DNS into internal DNS (for internal hosts) and externalDNS (for external servers).

20 / 43

Reconnaissance tool: recon-ng

▶ A full-featured reconnaissance framework to conduct opensource reconnaissance

▶ Look and feel similar to the Metasploit Framework

▶ Support a number of modules in the marketplace

[recon-ng][default] > marketplace search vulnerabilities

[*] Searching module index for ’vulnerabilities’...

+------------------------------------------------------------------------------------------------+

| Path | Version | Status | Updated | D | K |

+------------------------------------------------------------------------------------------------+

| recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | |

| recon/domains-vulnerabilities/xssed | 1.1 | not installed | 2020-10-18 | | |

| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |

| recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | |

| recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * |

+------------------------------------------------------------------------------------------------+

D = Has dependencies. See info for details.

K = Requires keys. See info for details.

21 / 43

Using the hackertarget module

[recon-ng][default] > marketplace info recon/domains-hosts/hackertarget

+---------------------------------------------------------------------------------------------------------------+

| path | recon/domains-hosts/hackertarget |

| name | HackerTarget Lookup |

| author | Michael Henriksen (@michenriksen) |

| version | 1.1 |

| last_updated | 2020-05-17 |

| description | Uses the HackerTarget.com API to find host names. Updates the ’hosts’ table with the results. |

| required_keys | [] |

| dependencies | [] |

| files | [] |

| status | not installed |

+---------------------------------------------------------------------------------------------------------------+

[recon-ng][default] > marketplace install recon/domains-hosts/hackertarget

[*] Module installed: recon/domains-hosts/hackertarget

[*] Reloading modules...

22 / 43

Using the hackertarget module (cont.)[recon-ng][default] > modules load recon/domains-hosts/hackertarget

[recon-ng][default][hackertarget] > info

Name: HackerTarget Lookup

Author: Michael Henriksen (@michenriksen)

Version: 1.1

Description:

Uses the HackerTarget.com API to find host names. Updates the ’hosts’ table with the results.

Options:

Name Current Value Required Description

------ ------------- -------- -----------

SOURCE default yes source of input (see ’info’ for details)

Source Options:

default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL

<string> string representing a single input

<path> path to a file containing a list of inputs

query <sql> database query returning one column of inputs

[recon-ng][default][hackertarget] > options set SOURCE cs.ccu.edu.tw

SOURCE => cs.ccu.edu.tw

[recon-ng][default][hackertarget] > run

-------------

CS.CCU.EDU.TW

-------------

[*] Country: None

[*] Host: cs.ccu.edu.tw

[*] Ip_Address: 140.123.101.1

...

23 / 43

Social Engineering ToolkitSelect from the menu:

1) Spear-Phishing Attack Vectors

2) Website Attack Vectors

3) Infectious Media Generator

4) Create a Payload and Listener

5) Mass Mailer Attack

6) Arduino-Based Attack Vector

7) Wireless Access Point Attack Vector

8) QRCode Generator Attack Vector

9) Powershell Attack Vectors

10) Third Party Modules

99) Return back to the main menu.

set> 1

The Spearphishing module allows you to specially craft email messages and send

them to a large (or small) number of people with attached fileformat malicious

payloads. If you want to spoof your email address, be sure "Sendmail" is in-

stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF

flag to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do

everything for you (option 1), the second is to create your own FileFormat

payload and use it in your own attack. Either way, good luck and enjoy!

1) Perform a Mass Email Attack

2) Create a FileFormat Payload

3) Create a Social-Engineering Template

99) Return to Main Menu

24 / 43

Shodan search engine

To search for various types of webcams, routers, servers, etc.connected to the Internet using various filters

25 / 43

Censys

To discover Internet assets

26 / 43

VirusTotal

To investigate a probably malicious IP address/file, etc.

27 / 43

Scanning the target

After reconnaissance, you have domain names, IP addresses,technical contact information, etc.

Reconnaissance vs. scanning

▶ Recon: casing the target for information

▶ Scanning: try to look for openings for entering

Scanning techniques

▶ Network mapping

▶ Determine open ports

▶ Enumeration

▶ Vulnerability scanning

28 / 43

Network mapping

Purpose of network mapping

▶ Understand network infrastructure, and discover critical hosts,routers, firewalls, etc.

▶ Begin from where the attackers can reach

Approaches to find live hosts

▶ Sweep through all possible IP addresses in the target networkwith ping (ICMP Echo request/response, map be blocked).

▶ Alternative tools• arping: probing by ARP packets• fping: higher performance when pinging multiple hosts• nping: for network packet generation, response analysis and

response time measurement• hping: support many probing functions of multiple protocols• zmap: fast single-packet network scanner optimized for

Internet-wide network surveys

29 / 43

Network mapping (cont.)

Find the routers along network path

▶ traceroute in UNIX or tracert in Windows

Defenses against network mapping

For ping, traceroute, etc., filter out the underlying messages usingfirewalls.

▶ incoming ICMP messages (only with some exceptions youwant, e.g., for public services or from certain ISPs.)

▶ Filter ICMP Time Exceeded messages leaving your network.You may find (***) when using traceroute. That’s it!

30 / 43

Determine open ports using port scanner

From addresses of live hosts to open ports

▶ Each host has 65,536 TCP ports and 65,536 UDP ports.

▶ An attacker can test for well-known port numbers first withport scanning.

Port scanning tools

▶ To scan a list of specific ports, a range of ports, and allpossible TCP and UDP ports

▶ Usually an impolite act (to avoid if unnecesary). Considerreconaissance approach like censys first.

▶ Well known open-source port scanner: nmap and zenmap(graphical front end)

31 / 43

Nmap: a port-scanning tool

nmap

▶ open source tool for network exploration and security auditing

▶ operations of nmap: sending packets to interact with eachport

Usage of nmap

▶ What hosts are available on the network?

▶ Which ports are open?

▶ What services (application name and version) those hosts areoffering?

▶ What operating systems (and OS versions) they are running?

▶ What type of packet filters/firewalls are in use?

32 / 43

States of scanned ports

open An application on the target machine is listening forconnections/packets on that port.

filtered A firewall, filter, or other network obstacle is blockingthe port so that Nmap cannot tell whether it is openor closed.

closed No application listening on the port.

unfiltered A port is responsive to Nmap’s probes, but Nmapcannot determine whether it is open or closed.

33 / 43

Example of nmap scanning# nmap -A -T4 scanme.nmap.org

Nmap scan report for scanme.nmap.org (45.33.32.156)

Host is up (0.036s latency).

Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f

Not shown: 998 filtered ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)

| 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)

| 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)

|_ 256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)

80/tcp open http Apache httpd 2.4.7 ((Ubuntu))

|_http-favicon: Nmap Project

|_http-server-header: Apache/2.4.7 (Ubuntu)

|_http-title: Go ahead and ScanMe!

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: bridge|general purpose

Running (JUST GUESSING): Oracle Virtualbox (97%), QEMU (92%)

OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu

Aggressive OS guesses: Oracle Virtualbox (97%), QEMU user mode network gateway (92%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 2 hops

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)

HOP RTT ADDRESS

1 0.65 ms 10.0.2.2

2 0.66 ms scanme.nmap.org (45.33.32.156)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 29.26 seconds

34 / 43

TCP connect scan

option: -sT

▶ Complete three-way handshake with each target port usingthe connect system call

▶ Send out a SYN packet• port is open: get SYN-ACK response, and send out ACK to

complete and then FIN to terminate.• port is closed or filtered: get RST, ICMP port unreachable, or

no response

▶ Do not need root privilege

▶ Easy to detect for leaving an entry in the system orapplication log

▶ Use SYN scan instead if you have root privilege.

35 / 43

TCP SYN scan

option: -sS

▶ Highly efficient for fast scanning

▶ Use half-open scanning, but not full TCP connection▶ Send out only a SYN packet

• port is open: get SYN-ACK response, and send out RST toabort the connection.

• port is closed: get RST• port is filtered: get ICMP port unreachable or no response

36 / 43

TCP FIN, Xmas and null scan

option: -sF, -sX, -sN

▶ According to the rules in the TCP RFC• port is closed: an incoming segment not containing a RST

causes a RST to be sent in response.• port is open: an incoming segment without the SYN, RST, or

ACK bits set is dropped.

▶ FIN scan: sets just the TCP FIN bit

▶ Xmas scan: sets the FIN, PSH, and URG flags

▶ null scan: does not set any flag bits

▶ advanatage: good for sneaking through certain non-statefulfirewalls and packet filtering routers

▶ disadvantage: not all systems follow the RFC. Work for mostUnix-based systems.

37 / 43

TCP ACK scan

option: -sA

▶ Not to determine open (or even open|filtered) ports▶ Used to map out firewall rulesets, determining whether they

are stateful or not and which ports are filtered.

▶ When scanning unfiltered systems, open and closed ports willboth return a RST packet. Nmap then labels them asunfiltered.

▶ Ports that do not respond or send certain ICMP errormessages back are labeled filtered.

38 / 43

Idle scan (command)

Advantage: Stealthy TCP port scan in which no packets are sentto the target from the attacker’s real IP address

Principle of idle scan (option: -sI zombie host)

Leverage the IP identification field (increased by 1 for each sentpacket, e.g., in Windows) in the IP header.

Requirements of the blamed host

▶ Have predictable IP identification increase (ideally, 1)

▶ Mostly idle (so-called idle scan)

39 / 43

Idle scan (procedure)

attacker

target

blamed host

attacker

target

seems no traffic from attacker

blamed host

1. SYN

2. SYN+ACK, IP id=x

3. Remember x

4. SpoofedSYN to a given TCP port

7. SYN

8. SYN+ACK

5.SYN+ACK

6.RST,IP

id=x+

1

If IP id=x + 2, port is open; if IP id=x + 1, port is closed.

40 / 43

UDP scan

option: -sU

▶ Much harder than TCP scan▶ No three-way handshake, sequence numbers or control bits →

less reliable• port is open: a UDP packet may be returned (given the right

protocol request)• port is closed: may receive ICMP port unreachable

▶ For some common ports such as 53 and 161, aprotocol-specific payload is sent to increase response rate,

▶ but for most ports the packet is empty unless the --data,--data-string, or --data-length options are specified.

41 / 43

Verion detection

option: -sV

Probe open ports to determine service/version infoRelated options:

▶ –version-intensity <level>: Set from 0 (light) to 9 (try allprobes)

▶ –version-light: Limit to most likely probes (intensity 2)

▶ –version-all: Try every single probe (intensity 9)

▶ –version-trace: Show detailed version scan activity (fordebugging)

Nmap scan report for www.cs.ccu.edu.tw (140.123.101.3)

Host is up (0.031s latency).

PORT STATE SERVICE VERSION

443/tcp open ssl/ssl Apache httpd (SSL-only mode)

42 / 43

Additional techniques

option: -g/--source-port <portnum>

Setting source ports for a successful scan

▶ Port scan may need to pass a firewall.

▶ It could choose right source ports to enter a stateless firewall,e.g., port 80.

-D decoy1[,decoy2][,ME][,...]

Cloak a scan with decoys

▶ Makes it appear to the remote host that the host(s) youspecify as decoys are scanning the target network too.

▶ Note: one of the source address must be real to get the result.

▶ Which source address is real? Making investigation harder.

43 / 43