Upload
jai4uk
View
1.010
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Network Securityand Hacking Techniques
Citation preview
Network Security and Hacking Techniques – DAY2
Network Packet Overview
TCP/IP and Network Packet Overview
Network Tools Overview TCPDUMP
ETHREAL
NTOP
Multi Router Traffic Grapher (MRTG)
Network Security and Hacking Techniques – DAY2
Typical Network
Visible IP
Address
InternalNetwork
PC Servers
Linux and windows
HostApplication Servers
Like IDS,Sniffers
What inside ??
Network Security and Hacking Techniques – DAY2
Network Tools Overview
Network Monitoring and Debugging The network interface configuration by ifconfig
root:/tmp> ifconfig –a
eth0 Link encap:Ethernet HWaddr 00:D0:09:28:F9:F9 inet addr:192.168.64.23 Bcast:192.168.64.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10113996 errors:231 dropped:0 overruns:0 frame:231 TX packets:2575002 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:3 Base address:0xc000
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:14022 errors:0 dropped:0 overruns:0 frame:0 TX packets:14022 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
Network Security and Hacking Techniques – DAY2
Network Tools Overview(Cont…)
Measure the throughput between two points
root:/root> ttcp -t -s testing.secureindia.com
ttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp -> testing.secureindia.com
ttcp-t: socket
ttcp-t: connect
ttcp-t: 16777216 bytes in 2.05 real seconds = 7978.76 KB/sec +++
ttcp-t: 2048 I/O calls, msec/call = 1.03, calls/sec = 997.35ttcp-t: 0.0user 0.4sys 0:02real 22% 0i+0d 0maxrss 0+2pf 0+0csw
Network Security and Hacking Techniques – DAY2
Network Tools Overview(Cont…)
Address Resolution by using arp
ARP commandroot23:/tmp> /sbin/arp –a
ntec93 (192.168.128.93) at on eth0
router.arm.secureindia.net (192.168.64.254) at 00:B0:D0:11:CB:4B [ether] on eth0
castle (192.168.64.230) at 00:B0:D0:22:0A:28 [ether] on eth0
athena (192.168.64.232) at 00:01:02:3A:93:25 [ether] on eth0
PING host
root23:/tmp> ping -c 2 ntec21
PING ntec21 (192.168.64.21) from 192.168.64.23 : 56(84) bytes of data.
64 bytes from ntec21 (192.168.64.21):icmp_seq=0 ttl=255 time=0.3 ms
64 bytes from ntec21 (192.168.64.21): icmp_seq=1 ttl=255 time=0.2 ms
--- ntec21 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max = 0.2/0.2/0.3 ms
Network Security and Hacking Techniques – DAY2
Network Tools Overview(Cont…)
root23:/tmp> arp –a
ntec93 (192.168.128.93) at on eth0
rou.secureindia.net (192.168.64.254) at 00:B0:D0:11:CB:4B [ether] on eth0
castle (192.168.64.230) at 00:B0:D0:22:0A:28 [ether] on eth0
ntec21 (192.168.64.21) at 00:D0:09:4E:46:06 [ether] on eth0
athena (192.168.64.232) at 00:01:02:3A:93:25 [ether] on eth0
Network Security and Hacking Techniques – DAY2
Network Tools Overview(Cont…)
Tracing Routes using traceroute
Network Security and Hacking Techniques – DAY2
Network Tools Overview(Cont…)
Example of traceroute
root# traceroute jksresearch.net
traceroute to vsnl.com (202.54.1.73), 30 hops max, 38 byte packet
Tracing the route to jksresearch.net (202.71.128.194)
1 telehouse3-telehouse1-100.1anetworks.net (193.243.177.10) 0 msec 0 msec 0 msec
2 195.66.224.166 [AS 5459] 0 msec 4 msec 0 msec
3 i-3-3.hhtstcbr01.net.reach.com (202.84.143.130) [AS 4637] 244 msec 248 msec 244 msec
4 i-1-1-0.hhtstcar02.net.reach.com (207.176.96.178) [AS 4637] 244 msec 244 msec 248 msec
5 202.40.142.138 [AS 4637] 368 msec 384 msec 368 msec
6 202.41.239.19 [AS 4637] 368 msec 388 msec 372 msec
7 202.41.232.10 [AS 4637] 492 msec 528 msec 512 msec
8 jksresearch.net (202.71.128.194) [AS 17447] 388 msec 384 msec 376 msec
Network Security and Hacking Techniques – DAY2
Network Tools Overview(Cont…)
Traffic analysis by using tcpdump
tcpdump dump all packets
tcpdump -ex dump the packet header and the packet content in hex
tcpdump -exa dump the packet header and the packet content in hex and ascii
tcpdump -c 500 dump 500 packets and exit
tcpdump -c 500 -w dump.log dump 500 packets and write it to dump.log file
tcpdump -r dump.log read the packets from dump.log rather than the network interface
tcpdump tcp dump tcp packets only
tcpdump udp dump udp packets only
Network Security and Hacking Techniques – DAY2
Network Tools Overview(Cont…)
Examples of tcpdump
ARP e.g
ntec1-20:/tmp> tcpdump -e arp
tcpdump: listening on eth0 11:38:21.506049 0:50:56:45:0:67 Broadcast arp 42: arp who-has ntec9-20 tell ntec1-20
11:38:21.508609 0:50:56:45:0:46 0:50:56:45:0:67 arp 60: arp reply ntec9-20 is-at 0:50:56:45:0:46
11:38:21.582506 0:50:56:45:0:62 0:3:fd:fa:30:1c arp 60: arp who-has router-20.secureindia.net tell ntec3-20
11:38:21.582679 0:3:fd:fa:30:1c 0:50:56:45:0:62 arp 60: arp reply router-20.secureindia.net is-at 0:3:fd:fa:30:1c
The first field is time stamp (11:38:21.506049)
The second field is MAC address of ntec1-20 (0:50:56:45:0:67)
The third field is Broadcast MAC address (ff:ff:ff:ff:ff:ff)
Line 1: ntec1-20 broadcast the arp to ask for ntec9-20 hardware address.
Line 2: ntec9-20 (with the hardware address 0:50:56:45:0:46) tell ntec1-20 its hardware address
Line 3: My host (ntec1-20) has already cached the hardware address of router-20.secureindia.net. Therefore, it shows its hardware address in the third field
Network Security and Hacking Techniques – DAY2
Network Tools Overview(Cont…)
TCP e.g
csh> tcpdump -c 500 -w dump.log dump 500 packets to dump.log file
13:14:56.142688 eth0 < ntec24.1049 > ntec23.finger: S 3558267034:3558267034(0) win 32120 (DF)
13:14:56.142768 eth0 > ntec23.finger > ntec24.1049: S 3556473435:3556473435(0) ack 3558267035 win 30660 (DF)
13:14:56.142904 eth0 < ntec24.1049 > ntec23.finger: . 1:1(0) ack 1 win 32120 (DF)
13:14:56.142961 eth0 < ntec24.1049 > ntec23.finger: P 1:3(2) ack 1 win 32120 (DF)
13:14:56.143001 eth0 > ntec23.finger > ntec24.1049: . 1:1(0) ack 3 win 30660 (DF)
13:14:56.307305 eth0 > ntec23.finger > ntec24.1049: P 1:239(238) ack 3 win 31856 (DF)
13:14:56.307471 eth0 < ntec24.1049 > ntec23.finger: . 3:3(0) ack 239 win 31882 (DF)
13:14:56.307627 eth0 > ntec23.finger > ntec24.1049: F 239:239(0) ack 3 win 31856 (DF)
13:14:56.307738 eth0 < ntec24.1049 > ntec23.finger: . 3:3(0) ack 240 win 31881 (DF)
13:14:56.307873 eth0 < ntec24.1049 > ntec23.finger: F 3:3(0) ack 240 win 32120 (DF)
13:14:56.307904 eth0 > ntec23.finger > ntec24.1049: . 240:240(0) ack 4 win 31856 (DF)
Network Security and Hacking Techniques – DAY2
Network Tools Overview(Cont…)
UDP e.g
csh> tcpdump udp
dump udp packets only
14:19:49.190269 eth0 > ntec23.961 > castle.985: udp 5614:19:49.190430 eth0 < castle.985 > ntec23.961: udp 28
Example of DNS query packet
14:19:59.461091 eth0 > ntec23.1058 > castle.domain: 11899+ PTR? 26.6.189.137.in-addr.arpa. (43)
Examples of DNS response packet
14:19:59.461390 eth0 < castle.domain > ntec23.1058: 11899 1/3/3 PTR hp735f.csc.cuhk.edu.hk. (203)
Network Security and Hacking Techniques – DAY2
Ethereal : Network Tools
This image shows Ethereal's main window. You can inspect the captured data in great detail, even while a capture session is in progress. Items in the packet list can be shown in any color you like
Network Security and Hacking Techniques – DAY2
Ethereal : Network Tools (Conts..)
This shows a DNS lookup from the server's perspective. It's interesting to note that the server issued four queries to resolve the name, and the client re-sent its query before the server could respond.
Network Security and Hacking Techniques – DAY2
Ethereal : Network Tools (Conts..)
The "Follow TCP Stream" item under the "Analyze" menu allows you to inspect the ASCII contents of a TCP data stream in a separate window. This can be invaluable for tracking down HTTP, SMTP, and POP server problems.
Network Security and Hacking Techniques – DAY2
More tools for traffic analysis
Ntop -- show network usage
ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix command does.
ntop users can use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status.
Network Security and Hacking Techniques – DAY2
Multi Router Traffic Grapher (MRTG)
MRTG
The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing GIF images which provide a LIVE visual representation of this traffic. MRTG is based on Perl and C and works under UNIX and Windows NT.
E.G. The follow MRTG graph shows a peak traffic at 16:00
Network Security and Hacking Techniques – DAY2
SUMMARY
TCP/IP HEADERS
TCPDUMP/WINDUMP
ETHREAL
NTOP
MRTG
Network Security and Hacking Techniques – DAY2
Typical Network
Visible IP
Address
InternalNetwork
PC Servers
Linux and windows
HostApplication Servers
Like IDS,Sniffers
What are these machines ???
Network Security and Hacking Techniques – DAY2
Network Scanners
Scan wide area network
Using powerful network scanner, nmap
Find the running hosts in the network
Gather the host information
Get root permission from the target host
Hide himself from the admin
Network Security and Hacking Techniques – DAY2
NMAP
Using powerful network scanner, nmap
nmap can do ftp bounce scan, stealth scan, OS prediction, and so on.
http://www.insecure.org/nmap
For windows
• www.eeye.com/html/Research/Tools/nmapNT.html
Network Security and Hacking Techniques – DAY2
NMAP
NMAP does three things:
Determines quickly if an IP address responds to TCP or ICMP pings.
Sends packets to a target IP address to find which port numbers are open, closed, or filtered.
Sends good packets and malformed packets to the target IP address and analyzes responses to try to guess what kind of operating system runs on the target computer.
Network Security and Hacking Techniques – DAY2
NMAP
NMAP stands for Network Mapper
Ping Sweeping # nmap -sP 192.168.7.0/24
Starting nmap V. 2.12 by Fyodor ([email protected],
www.insecure.org/nmap/)Host (192.168.7.11) appears to be up.
Host (192.168.7.12) appears to be up.
Host (192.168.7.76) appears to be up.
Nmap run completed -- 256 IP addresses (3 hosts up) scanned in 1 second
Port Scanning
# nmap -sT 192.168.7.12
Starting nmap V. 2.12 by Fyodor ([email protected], www.insecure.org/nmap/)
Interesting ports on (192.168.7.12):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 open tcp ftp
... Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
Network Security and Hacking Techniques – DAY2
NMAP (Cont…)
Stealth Scanning # nmap -sS 192.168.7.7
Starting nmap V. 2.12 by Fyodor ([email protected],
www.insecure.org/nmap/)Interesting ports on saturnlink.nac.net (192.168.7.7):
Port State Protocol Service
21 open tcp ftp
25 open tcp smtp
53 open tcp domain
80 open tcp http
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
OS Fingerprinting
# nmap -sS -O 192.168.7.12
Starting nmap V. 2.12 by Fyodor ([email protected], www.insecure.org/nmap/)Interesting ports on comet (192.168.7.12):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 open tcp ftp
...
Remote operating system guess: Solaris 2.6 - 2.7
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
Network Security and Hacking Techniques – DAY2
Nessus
Nessus is a software tool that provides host-based vulnerability scanning
Difference between Nessus and the majority of its competitors is the price tag – Nessus is free.
Nessus follows a client-server architecture
Network Security and Hacking Techniques – DAY2
Nessus
www.nessus.org
Secure client/server architecture
Server must be on Unix system.
Clients for Unix, Windows, Java applets, and command line of server. Client can securely login with ID and password or certificate, and can be restricted to set of IP addresses they can scan.