Your SlideShare is downloading. ×
Reconnaissance & Scanning
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Reconnaissance & Scanning

9,057
views

Published on

Reconnaissance & Scanning

Reconnaissance & Scanning

Published in: Technology, Education

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
9,057
On Slideshare
0
From Embeds
0
Number of Embeds
41
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Reconnaissance & Scanning By Letian Li ISQS 6342 (Spring 2003) Professor John Durrett
  • 2. Reconnaissance
    • Using a combination of tools and techniques to take an unknown quantity of information and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet.
      • Low-Technology Reconnaissance
      • Search the Fine Web
      • Use search engines
      • Whois Databases
      • Domain Name System
  • 3. Low-Technology Reconnaissance
    • Social Engineering
      • Computer users must be trained not give sensitive information away to a friendly caller.
    • Physical Beak-in
      • A guard at the front door or a card reader checks all employees coming into a given facility.
    • Dumpster Diving
      • A well used paper shredder is the best defense against dumpster diving.
  • 4. Search the Fine Web (STFW)
    • Searching an organization’s own web site
    • The Fine Art of using search engines
    • Listening in at the Virtual Watering Hole: Usenet
  • 5. Searching an organization’s own web site
    • Employee’s contact information with phone numbers.
    • Clues about the corporate culture and language.
    • Business partners.
    • Recent mergers and acquisitions.
    • Technologies in use.
  • 6. The Fine Art of using search engines
    • AltaVista
    • Excite
    • Google
  • 7. Listening in at the Virtual Watering Hole: Usenet
    • Internet Usenet newsgroups are frequently used by employees to share information and ask questions.
      • Reveals sensitive information.
      • Web search engine such as www.groups.google.com provides a massive archive of an enormous number of newsgroups.
  • 8. Defenses against web-based Reconnaissance
    • Establishing policies regarding what type of information is allowed in your own web servers.
      • Avoid including information about the products used in your environment, particularly their configuration.
    • Policy regarding the use of newsgroups and mailing list by employees.
      • Avoid posting information about system configurations, business plans, and other sensitive topics.
  • 9. Whois Databases: treasure Chests of Information
    • Whois Databases contain a variety of data elements regarding the assignment of Internet addresses, Domain names, and individual contacts.
    • Researching .com, .net, and .org Domain Names.
      • A complete list of all accredited registrars is available at www.internic.net/alpha.html .
      • www.internic.net/whois.html
        • Allows a user to enter an organization’s name or domain name.
    • Researching Domain Names Other Than .com, .net, and .org.
      • For organizations outside of the United States, a list can find from www.allwhois.com/home.html .
  • 10. IP Address Assignments through ARIN
    • American Registry for Internet Numbers.
      • Contains all IP addresses assigned to particular organization.
      • Users can access the ARIN whois database at http:// www.arin.net/whois/index.html .
    • European IP address assignments can be retrieved at www.ripe.net .
  • 11. Defenses against Whois Searches
    • Database information that is useful for attackers should not be available to the public.
    • Can we use some erroneous or misleading registration information?
      • You can quickly and easily get the contact information using whois searches.
      • The whois database information let us inform an administrator that their systems were being used in an attack.
  • 12. Defenses against Whois Searches
    • There rally is no comprehensive defense to prevent attackers from gaining registration data.
  • 13. The Domain Name System
    • DNS is a hierarchical database distributed around the world that store a variety of information, including IP addresses, domain names, and mail server information.
      • DNS servers store this information and make up the hierarchy.
  • 14. Interrogating DNS Servers
    • nslookup command
      • Windows Nt/2000
      • Most variations of Unix
    • host command
      • Included with most variations of UNIX
    • dig command
      • Included with some UNIX variants
  • 15. Defenses from DNS-Based Reconnaissance
    • Make sure you aren’t leaking information unnecessarily through DNS servers.
    • Restrict zone transfers .
    • Use “ split DNS ” to limit the amount of DNS information about your infrastructure.
  • 16. We’ve got the registrar, now what?
    • Names: Complete registration information includes the administrative, technical, and billing contact names.
      • An attacker can use this information to deceive people in target organization during a social engineering attack.
    • Telephone numbers
      • The telephone numbers associated with the contacts can be used by an attacker in war-dialing attack.
  • 17. We’ve got the registrar, now what? (cont.)
    • Email addresses: this information will indicate to an attacker the format of email addressed used in the target organization.
      • The attacker will know how to address email for any user.
    • Postal addresses:
      • An attacker can use this geographic information to conduct dumpster-diving exercises or social engineering.
  • 18. We’ve got the registrar, now what? (cont.)
    • Registration dates:
      • Older registration records tends to be inaccurate.
      • A record that hasn’t been recently updated may indicate an organization that is lax in maintaining their Internet connection.
    • Name severs:
      • This incredibly useful field includes the addresses for the Domain Name system servers for the target.
  • 19. General Purpose Reconnaissance Tools
    • Sam Spade, a General-Purpose Reconnaissance Client Tool.
      • One of the easiest to use and most functional integrated reconnaissance suites available today.
      • Runs on Windows 9X, NT, and 2000.
      • Available at www.samspade.org/ssw /
  • 20. Sam Spade’s Capabilities
    • Ping: This tool will send an ICMP Echo request message to a target to see if it is alive and determine how long it takes it to respond.
    • Whois: Conduct Whois lookups using default Whois servers, or by allowing the user to specify which Whois database to use.
    • IP Block Whois: Used to determine who owns a particular set of IP addressed, using ARIN databases.
    • Nslookup: Querying a DNS server to find domain name to IP address mapping.
    • DNS Zone Transfer: Transfers all information about a given domain from the proper name serer.
  • 21. Sam Spade’s Capabilities (cont.)
    • Traceroute: Return a list of router hops between the source machine and the chosen target.
    • Finger: Supports querying a system to determine its user list.
    • SMTP VRFY: Determine whether particular email addresses are valid on a giver email server.
    • Web browser: Sam Spade’s built-in mini browser lets its users view raw HTTP interaction, including all HTTP headers.
  • 22. General Purpose Reconnaissance Tools (cont.)
    • Other client-based reconnaissance tools similar to Sam Spade include:
      • cyberKit: A freeware tool fro Windows available at http://www.twpm.com/internet/downloads/cyberkit.htm
      • iNetScanTools: a feature-limited demonstration tool from windows and Macintosh, available at www.wildpackets.com/products/inettools
  • 23. Web-Based reconnaissance tools: Research and Attack Portals
    • www.samspade.org
    • www.network-tools.com
    • www.securityspace.com /
    • www.grc.com/x/ne.dll?bhobkyd2
    • www.doshelp.com/dostest.htm
    • www.dslreports.com/r3/dsl/secureme
  • 24. Scanning
    • Scanning phase is akin to a burglar turning doorknobs and trying to open windows to find a way into your house. Common techniques include:
      • War Dialing
      • Network Mapping
      • Port Scan
      • Vulnerability Scan
  • 25. War Dialing
    • A war-dialing tool automates the task of dialing large pools of telephone numbers in an effort to find unprotected modems.
    • An attacker can scan in excess of a thousand telephone numbers in a single night using a single computer with a single phone line.
    • More computers and phone line make the scan even faster.
  • 26. War Dialer vs. Demon Dialer
    • A war dialer is a tool used to scan a large pool of numbers to find modems and other interesting lines.
    • A demon dialer is a tool used to attack just one telephone number with a modem, guessing password after password in an attempt to gain access.
    • War dialing focuses in scanning a variety of telephone numbers, while demon dialing focuses in gaining access through a single telephone number.
  • 27. A Toxic Recipe: Modems, remote Access Products, and Clueless Users
    • By default, many of these remote control products include no password for authentication.
    • Anyone dialing up to a system with war-dialer installed has complete control over the victim machine without providing even password.
    • We can discover modems connected to servers and routers that either request no password or have a trivial-to-guess password.
  • 28. Finding Telephone Numbers to Feed into a War Dialer
    • The phone book.
    • The Internet.
    • Whois databases.
    • Your organization’s Web site.
    • Social engineering.
  • 29. War-Dialing Tools
    • THC-Scan 2.0.
      • THC-Scan is one of the most full-featured, noncommercial war dialing tool available today.
      • You can find it at www.ussysadmin.com/modules.php?name = Downloads&d_op = search&query =
    • l0pht’s TBA War-Dialing Tool
      • Available at www.l0pht.com
  • 30. The War Dialer provides a List of Lines with Modems: Now What?
    • The attacker may find systems without password. The attacker will connect to such system, look through local files, and start to scan the net work.
    • If all of the discovered systems with modems are password protected, the attacker will then sort to password guessing.
  • 31. Defenses against War Dialing
    • Modem policy.
    • Dial-out only?
      • While this technique works quite well, some users have a business need that requires incoming dial-up modem access.
    • Find your modems before the attackers do.
      • Use a commercial war dialer.
        • www.sandstorm.net www.securelogix.com
    • Desk-to-desk checks.
  • 32. Network Mapping
    • Network mapping" is the effort to map
      • Topology
        • How network components are connected to each other to build up the network.
      • Network devices
        • Types, brands, versions etc .
      • Computers and services
        • Computers and their placement, vendors and models of running O.S.'s, published services
  • 33. Common Network Mapping
    • Sweeping: Finding Live Hosts.
    • Traceroute: What Are the Hops ?
  • 34. Sweeping: finding Live Hosts
    • ICMP
      • Send an ICMP Echo Request packet to every possible address.
      • If a reply comes back, that address has an active machine.
      • But many networks block incoming ICMP messages.
  • 35. Sweeping: finding Live Hosts (cont.)
    • TCP/UDP
      • An attacker could alternatively send a TCP or UDP packet to a port that is commonly open, such as TCP port 80.
      • If nothing comes back, there may or may not be a machine there.
  • 36. Traceroute: What Are the Hops ?
    • Tracerouting relies on the Time-To-Live (TTL) field in the IP header.
    • Start with a TTL of one. This process continues with incrementally higher TTLs until reach the destination.
      • ICMP Time Exceeded message has the router’s IP address.
    • Most UNIX varieties include a version for the traceroute program.
    • Windows NT and Windows 2000 include tracert program.
  • 37. Cheops: A Nifty Network Mapper and General-Purpose Management Tool
    • Available at www.marko.net/cheops
    • Runs Linux.
  • 38. Defenses against Network Mapping
    • Filter out the underlying messages that mapping tools rely on.
      • At Internet gateway, block incoming ICMP messages, except to hosts that you want the public to be able to ping.
    • Filter ICMP TIME Exceeded messages leaving your network to stymie an attacker using traceroute ( tracert).
  • 39. Determining Open Ports Using Port Scanners
    • Discover the purpose of each system and learn potential entryways into your machines by analyzing which ports are open.
    • The attacker may focus on common services like telnet, FTP, email.
    • Free port-scanning tools:
      • Nmap, at www.insecure.org/nmap/ .
      • Ultrascan.
      • Strobe.
  • 40. Nmap: A Full-Featured Port Scanning Tool
    • A nice GUI for Nmap.
  • 41. Common Type of Nmap Scans
    • TCP Connect
    • TCP SYN Scans
    • TCP FIN, Xmas Tree, and Null Scans
    • TCP ACK Scans
    • FTP Bounce Scans
  • 42. The Polite scan: TCP Connect
    • Complete the TCP three-way handshake .
    • Connect scans are really easy to detect .
      • The web server’s log file will indicate that a connection was opened from the attacker’s IP address.
      • Attackers often use stealthier scan techniques .
  • 43. A Little Stealthier: TCP SYN Scans
    • SYN scans stop two-thirds of the way through the handshake.
    • If the target port is closed, the attacker’s system will receive either no response, a RESET packet, or an ICMP Port unreachable packet, depending on the target machine type and network architecture.
    • Benefits:
      • Stealthier. A true connection never occurs.
      • Speed.
  • 44. Violate the protocol Spec: TCP FIN, Xmas Tree, and Null Scans
    • A FIN packet instructs the target system that the connection should be torn down.
      • A closed port should respond with a RESET.
      • An open port will respond nothing.
    • Xmas Tree and Null scan are similar to FIN Scan.
    • Unfortunately, this technique does not work against Microsoft Windows-based systems.
  • 45. Kicking the ball Past the Goalie: TCP ACK Scans
  • 46. Obscure the Source: FTP Bounce Scans
    • Some old FTP servers allow a user to connect to them and request that the server send a file to another system.
    • Attacker opens a connection to a FTP server supporting the bounce feature.
    • The attacker’s tool requests that the innocent FTP server open a connection to a given port in the target system.
    • Innocent FTP then will tell the attacker the status of the port.
  • 47. Don’t Forget UDP!
    • UDP does not have a three-way handshake, sequence numbers, or code bits.
    • Packets may be delivered out of order, and are not retransmitted if they are dropped.
    • False positives are common during UDP scan.
  • 48. Setting Source Ports for a successful Scan
    • TCP port 80 is a popular choice for a source port, as the resulting traffic will appear to be coming from a Web server using HTTP.
    • Attackers also widely use TCP source port 25, which appears to be traffic from an Internet mail server using the SMTP protocol.
    • Another interesting option involves using a TCP source port of 20, which will look like an FTP-data connection.
  • 49. Defenses against port Scanning
    • Harden your systems.
      • Close all unused ports.
      • For critical systems, delete the programs associated with the unneeded service.
    • Find the Openings before the Attackers Do.
      • Scan your systems before an attacker does to verify all ports are closed except those that have a defined business need.
    • Add Some Intelligence: Use Stateful Packet Filters or Proxies .
  • 50. Vulnerability Scanning Tools
    • A vulnerability-scanning tool will automatically check for the following types of vulnerabilities on the target system:
      • Common configuration errors: Numerous systems have poor configuration settings, leaving various openings for an attacker to gain access.
      • Default configuration weaknesses: default accounts and passwords.
      • Well-known system vulnerabilities: new security holes are discovered and published.
  • 51. Vulnerability Scanning Defenses
    • Again, close all unused ports and apply patches to your systems.
    • Run the Tools against Your Own Networks.
      • Use any one of the free or commercial tools.
      • Be careful with denial-of-Service and Password Guessing Tests .
        • You could damage your systems if you misconfigure the tools.
        • Be sure to disable Denial-of-Service attacks, unless you specifically want them.
        • Password-guessing may lock out legitimate users.
  • 52. Vulnerability Scanning Defenses
    • Be aware of Limitations of Vulnerability Scanning Tools.
      • These tools only check for vulnerabilities that they know about.
        • You must be sure to keep the vulnerability database up to date.
      • These tools don’t really understand the network architecture.
  • 53. Intrusion Detection System
    • All of the scanning tools are incredibly noisy.
      • A robust vulnerability scan could send hundreds of thousands or millions of packets to the target network.
    • A network-based IDS captures all data on the LAN, gathering packets associated with normal use of the network and attacks alike.
    • By matching attack signatures in their database, IDSs detect attacks.
  • 54. Evade Network-Based Intrusion Detection Systems
    • Mess with the appearance of traffic so it doesn’t match the signature.
      • Detection is based on signature matching, the attackers can work hard to make sure their attacks don’t look like the signatures checked by the IDS.
  • 55. IDS Evasion at the Network Level
    • A large IP packet is broken down into a series of fragments, each with its own IP header. To detect attaches, IDS needs to store, reassemble and analyze all of these fragments.
    • Use fragments: Older IDS cannot handle fragment resemble.
    • Send a flood of fragments: tie up all of the memory capacity of the IDS systems.
    • Fragment the packets in unexpected ways: fragment the packets in a variety of unusual ways.
  • 56. IDS Evasion Defenses
    • Don’t despair: Utilize IDS Where appropriate.
    • Keep the IDS System up to date.
    • Utilize both Host-Based and Network-Based IDS.
      • A network-base IDS listens to the network looking for attacks.
      • A host-based IDS run on the end system that is under attack.
  • 57. References
    • Counter Hack, Ed Skoudis,Prentice-Hall,Inc. NJ, 2002
    • Hacking Exposed, McClure, Scambray, Kurtz, McGrawHill, Chicago, 2001
    • http:// www.internic.net/alpha.html
    • http://www.internic.net/whois.html
    • http://www.alldomains.com/404.html
    • http://www.arin.net/whois/index.html
    • http://www.ripe.net/
    • http://www.scit.wlv.ac.uk/~jphb/comms/dns.html
    • http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_DNS_und_ZoneTransfers.asp
  • 58. References (cont.)
    • http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html
    • http://www.samspade.org/ssw/
    • http://www.freesoft.org/CIE/Topics/81.htm
    • http://www.austin.rr.com/rrsec/computer_ports.html
    • http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214184,00.html
    • http://www.marko.net/cheops/
    • http://www.insecure.org/nmap/
    • http://www.security.pipex.net/stateful.html
    • http://www.sei.cmu.edu/str/descriptions/firewalls_body.html

×