3. AGENDA 0x10 Introduction to the Idea of DPS 0x20 Overview of Current Spoofing Techniques 0x30 Integrating ARP Poisoning into Port Scanning 0x40 1-Packet-Based TCP Stealth Scans and Their Uses. 0x50 Putting It into Practice [The Tool of Trade] 0x60 DEMO 0x70 Preventing DPS in Private LANs 0x80 Conclusion 0x90 References 0xa0 Thanks & Greetings – Questions & Answers
4. 0x10 Introduction to the Idea of DPS 0x11 Definition: Dynamic Port Scanner [DPS] integrates ARP-Poisoning and Spoofing into Port Scanning to dynamically spoof the source IP of TCP or UDP scan packets. The "dynamic spoofing" means that for each TCP or UDP scan packet, there is a dynamically and randomly generated IP used as the source IP address for the scan packet. DPS can be considered as " Virtual " Distributed Scan, where the scan appears as coming from many scanning machines. DPS is best suited for " inside " penetration-testing or attack.
5. 0x20 Overview of Current Spoofing Techniques 1] Normal Source-IP Spoofing # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300 2] The Use of Decoys # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 3] Distributed Port Scanning
6. 1] Normal Source-IP Spoofing (1) # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300 0x20 Overview of Current Spoofing Techniques This is the simplest among all other technique. All the attacker needs to do is to spoof the source IP of the scanning machine to any other IP without worrying about anything else. That spoofed IP is used for all scan packets. Also, that spoofed IP can by any valid IP address and does not have to be within the subnet IP range of the scanning machine .
7. Advantages: 1- Freedom of Spoofing 2- No wasted initiated packets 3- No tracing of the original scanner Disadvantages: 1- No replies !! 2- No results !! 0x20 Overview of Current Spoofing Techniques 1] Normal Source-IP Spoofing (2) # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300
8. 2] The Use of Decoys (1) # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 0x20 Overview of Current Spoofing Techniques Decoy scan works by sending more than one packet per port. All of these packets carry spoofed source IPs except one packet, which carries the original scanner IP address. By doing so, the attacker guarantees at least one reply packet which is the reply to the scan packet carrying the correct IP address. All other replies will not reach the scanning machine.
9. 2] The Use of Decoys (2) # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 Advantages: 1- Results are guaranteed 2- Freedom of spoofing Disadvantages: 1- Lots of wasted traffic 2- Original scanner is logged (Detection is not impossible) 0x20 Overview of Current Spoofing Techniques
10. 3] Distributed Port Scanning (1) 0x20 Overview of Current Spoofing Techniques Distributed scan works by dividing the scanning scope among multiple attack platforms. In such case, each attack platform performs a normal scan for a small range of port numbers. Although this is not 100% spoofing mechanism, it increases the overhead of the system administrator on the other side to trace back the attacker [e.g. there could be hundreds of originating IPs.] Furthermore, those originating IPs could be compromised hosts of innocent people
11. 3] Distributed Port Scanning (2) Advantages: 1- No useless traffic 2- Results are guaranteed 3- minimized scan time Disadvantages: 1- All scanners are logged/traced 2- Scanners must be under control 0x20 Overview of Current Spoofing Techniques
12. 0x30 Integrating ARP Poisoning into Port Scanning 0x31 The Basic Idea 0x32 ARP-Cache Poisoning 0x33 ARP-Poisoning with Scanning 0x34 Advantages 0x35 Limitations
13.
14.
15. 0x33 ARP-Poisoning with Scanning 10.1.0.74 10.1.11.5 10.1.11.10 10.1.11.15 10.1.11.20 10.1.11.1 1] 10.1.0.74 is NOT within the local net 2] Get the gateway IP and ARP for its MAC 3] Generate random IP (10.1.11.15) 4] Poison the gateway (2 fake ARP packets) 5] Send the scan packet 6] Wait for the response AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB ARPOP_REPLY src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.1 (BB:BB:BB:BB:BB:BB) ARPOP_REQUEST src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.1 (BB:BB:BB:BB:BB:BB) 10.1.11.15:5678 10.1.0.74:80 [SYN] 10.1.0.74:80 10.1.11.15:5678 [SYN/ACK] Target is outside local net 0x30 Integrating ARP Poisoning into Port Scanning
16. 0x33 ARP-Poisoning with Scanning 10.1.11.5 10.1.11.10 10.1.11.15 10.1.11.20 10.1.11.30 1] 10.1.11.30 is within the local net 3] Generate random IP (10.1.11.15) 4] Poison the host (2 fake ARP packets) 5] Send the scan packet 6] Wait for the response ARPOP_REQUEST src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.30 (BB:BB:BB:BB:BB:BB) ARPOP_REPLY src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.30 (BB:BB:BB:BB:BB:BB) 10.1.11.15:5678 10.1.11.30:80 [SYN] 10.1.11.30:80 10.1.11.15:5678 [SYN/ACK] Target is within local net 0x30 Integrating ARP Poisoning into Port Scanning
17. 0x33 ARP-Poisoning with Scanning (Mechanism Flowchart) 0x30 Integrating ARP Poisoning into Port Scanning Generate random source IP “ randomly-generated fake IP ” “ Gateway IP ” = “ ARP-Poisoning IP ” “ Target IP ” = “ ARP-Poisoning IP ” NO YES Prepare “ ARP REQ ” and “ ARP REP ” with following data: S_IP: “ randomly-generated fake IP ” D_IP: “ ARP-Poisoning IP ” S_MAC: MAC of “ Attack IP ” D_MAC: MAC of “ ARP-Poisoning IP ” Send the two ARP packets to “ ARP-Poisoning IP ” Send the TCP/UDP Scan packet with following data: S_PORT: random port number D_PORT: scanned port S_IP: “ randomly-generated fake IP ” D_IP: “ target IP ” S_MAC: MAC of “ Attack IP ” D_MAC: MAC of “ ARP-Poisoning IP ” Wait for the reply Is the “ Target IP ” within the local subnet?
18. 0x33 ARP-Poisoning with Scanning ( Graphical Representation ) 0x30 Integrating ARP Poisoning into Port Scanning
19.
20.
21.
22. 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [_ A __ S _] 3.3.3.5 3.3.3.3 [_ A __ S _] 3.3.3.5 Linux Windows Group #1: TCP SYN Scan (0X02) 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN PORT OPEN OPEN 0x40 1-Packet Based Stealth Scanning Techniques
23. 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 CLOSED PORT CLOSED CLOSED 0x40 1-Packet Based Stealth Scanning Techniques Group #1: TCP SYN Scan (0X02)
24. 3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [___ R __] 3.3.3.5 3.3.3.3 [___ R __] 3.3.3.5 Linux Windows Group #2 TCP ACK Scan (0X10) 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN/ CLOSED PORT UNFILTERED UNFILTERED 0x40 1-Packet Based Stealth Scanning Techniques
25. 3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [_ A ____] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN/ CLOSED PORT FILTERED FILTERED 0x40 1-Packet Based Stealth Scanning Techniques Group #2 TCP ACK Scan (0X10)
26. 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN PORT OPEN | FILTERED OPEN | CLOSED 0x40 1-Packet Based Stealth Scanning Techniques NULL [______] FIN [_____ F ] URG [ U _____] PSH [__ P ___] XMAS [ U _ P __ F ] XMAS1 [__ P __ F ] XMAS2 [ U ____ F ] XMAS3 [ U _ P ___] Group #3: NULL FIN URG PSH XMAS XMAS1 XMAS2 XMAS3
27. 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 CLOSED PORT OPEN | CLOSED CLOSED 0x40 1-Packet Based Stealth Scanning Techniques Group #3: NULL FIN URG PSH XMAS XMAS1 XMAS2 XMAS3 NULL [______] FIN [_____ F ] URG [ U _____] PSH [__ P ___] XMAS [ U _ P __ F ] XMAS1 [__ P __ F ] XMAS2 [ U ____ F ] XMAS3 [ U _ P ___]
28. 0x40 1-Packet Based Stealth Scanning Techniques Example #1: ACK Scan: ACK NULL Scan: No Reply Example #3: ACK Scan: ACK URG Scan: RST_ACK SYN: RST_ACK Example #2: ACK Scan: ACK PSH Scan: RST_ACK SYN Scan: SYN_ACK Operating System: Linux Port Status: Open Operating System: Windows Port Status: Open Operating System: ------ Port Status: Closed Example #4: ACK Scan: No Reply XMAS Scan: No Reply Operating System: ------ Port Status: Filtered
29.
30. Tool Usage 0x50 Putting it into Practice [The Tool of Trade]
31. Simple Network… Scanning Machine: OS : Linux IP : 10.1.11.20 MAC: 00:03:FF:A1:A0:89 Target Machine: OS : Linux IP : 10.1.11.81 Open Port: 80 0x50 Putting it into Practice [The Tool of Trade]
32. Scanning… 0x50 Putting it into Practice [The Tool of Trade]
36. 0x70 Preventing DPS in Private LANs Recent switches come with “Port-Disabling” option in case of detecting any malicious activities on that port. Among those activities is the change of IP Address of the machine attached to that port. Since DPS requires that packets are sent with “fake” IP addresses, a switch can detect this behavior and disable the switch port immediately. The only way to bypass such measure is to increase time-gap between packets sent with different IP addresses. If the time-gap is long enough so that the switch cache is timed-out, it could lead to a situation where that attacker can still use DPS, but, it will take longer time. 0x71 The deployment of Port-Disabling feature on switches
37. 0x70 Preventing DPS in Private LANs “ arpwatch” is a software package that monitors MAC/IP pairs in the network and reports any suspicious behavior. It is always recommended that the sys admin installs it on different subnets to monitor MAC/IP pair changes on the network. 0x72 Installing ARPWatch package on the server(s)
38. 0x70 Preventing DPS in Private LANs Static ARP entries can be the best measure to protect against ARP-Poisoning. However, it can be a nightmare. However, if the network is almost stable (i.e. changes of IPs and machines are minimal), the sys admin can maintain a small perl or shell script that runs once a day and probe the IP/MAC combination of live systems and add static entries for them on the servers, located on that subnet, as well as on the gateway [i.e. router]. Although DPS can use unallocated IPs in subnet, “arpwatch” should take care of reporting them in such case. 0x73 Configuring static ARP entries on the machines
39. 0x08 References 0x01 Nmap Port Scanner tool, by Fyodor http://www.insecure.org/map 0x02 Libnet Packet Creation/Injection Platform, by Mike Schiffman http://www.packetfactory.net/projects/libnet/ 0x03 Building Open Source Network Security Tools , by Mike Schiffman . 0x04 The Art of Scanning, by Fyodor Phrack Magazine - Volume 7, Issue 51 September 01, 1997 - article 11 0x05 libpcap: the packet capturing library http://www.tcpdump.org/ 0x06 arpwatch tool http://ee.lbl.gov/ 0x07 EtherApe: a graphical network monitor http:// etherape.sourceforge.net /