Reconnaissance & Scanning


Published on

Reconnaissance & Scanning

Published in: Technology, Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Reconnaissance & Scanning

  1. 1. Reconnaissance & Scanning By Letian Li ISQS 6342 (Spring 2003) Professor John Durrett
  2. 2. Reconnaissance <ul><li>Using a combination of tools and techniques to take an unknown quantity of information and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet. </li></ul><ul><ul><li>Low-Technology Reconnaissance </li></ul></ul><ul><ul><li>Search the Fine Web </li></ul></ul><ul><ul><li>Use search engines </li></ul></ul><ul><ul><li>Whois Databases </li></ul></ul><ul><ul><li>Domain Name System </li></ul></ul>
  3. 3. Low-Technology Reconnaissance <ul><li>Social Engineering </li></ul><ul><ul><li>Computer users must be trained not give sensitive information away to a friendly caller. </li></ul></ul><ul><li>Physical Beak-in </li></ul><ul><ul><li>A guard at the front door or a card reader checks all employees coming into a given facility. </li></ul></ul><ul><li>Dumpster Diving </li></ul><ul><ul><li>A well used paper shredder is the best defense against dumpster diving. </li></ul></ul>
  4. 4. Search the Fine Web (STFW) <ul><li>Searching an organization’s own web site </li></ul><ul><li>The Fine Art of using search engines </li></ul><ul><li>Listening in at the Virtual Watering Hole: Usenet </li></ul>
  5. 5. Searching an organization’s own web site <ul><li>Employee’s contact information with phone numbers. </li></ul><ul><li>Clues about the corporate culture and language. </li></ul><ul><li>Business partners. </li></ul><ul><li>Recent mergers and acquisitions. </li></ul><ul><li>Technologies in use. </li></ul>
  6. 6. The Fine Art of using search engines <ul><li>AltaVista </li></ul><ul><li>Excite </li></ul><ul><li>Google </li></ul>
  7. 7. Listening in at the Virtual Watering Hole: Usenet <ul><li>Internet Usenet newsgroups are frequently used by employees to share information and ask questions. </li></ul><ul><ul><li>Reveals sensitive information. </li></ul></ul><ul><ul><li>Web search engine such as provides a massive archive of an enormous number of newsgroups. </li></ul></ul>
  8. 8. Defenses against web-based Reconnaissance <ul><li>Establishing policies regarding what type of information is allowed in your own web servers. </li></ul><ul><ul><li>Avoid including information about the products used in your environment, particularly their configuration. </li></ul></ul><ul><li>Policy regarding the use of newsgroups and mailing list by employees. </li></ul><ul><ul><li>Avoid posting information about system configurations, business plans, and other sensitive topics. </li></ul></ul>
  9. 9. Whois Databases: treasure Chests of Information <ul><li>Whois Databases contain a variety of data elements regarding the assignment of Internet addresses, Domain names, and individual contacts. </li></ul><ul><li>Researching .com, .net, and .org Domain Names. </li></ul><ul><ul><li>A complete list of all accredited registrars is available at . </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><ul><li>Allows a user to enter an organization’s name or domain name. </li></ul></ul></ul><ul><li>Researching Domain Names Other Than .com, .net, and .org. </li></ul><ul><ul><li>For organizations outside of the United States, a list can find from . </li></ul></ul>
  10. 10. IP Address Assignments through ARIN <ul><li>American Registry for Internet Numbers. </li></ul><ul><ul><li>Contains all IP addresses assigned to particular organization. </li></ul></ul><ul><ul><li>Users can access the ARIN whois database at http:// . </li></ul></ul><ul><li>European IP address assignments can be retrieved at . </li></ul>
  11. 11. Defenses against Whois Searches <ul><li>Database information that is useful for attackers should not be available to the public. </li></ul><ul><li>Can we use some erroneous or misleading registration information? </li></ul><ul><ul><li>You can quickly and easily get the contact information using whois searches. </li></ul></ul><ul><ul><li>The whois database information let us inform an administrator that their systems were being used in an attack. </li></ul></ul>
  12. 12. Defenses against Whois Searches <ul><li>There rally is no comprehensive defense to prevent attackers from gaining registration data. </li></ul>
  13. 13. The Domain Name System <ul><li>DNS is a hierarchical database distributed around the world that store a variety of information, including IP addresses, domain names, and mail server information. </li></ul><ul><ul><li>DNS servers store this information and make up the hierarchy. </li></ul></ul>
  14. 14. Interrogating DNS Servers <ul><li>nslookup command </li></ul><ul><ul><li>Windows Nt/2000 </li></ul></ul><ul><ul><li>Most variations of Unix </li></ul></ul><ul><li>host command </li></ul><ul><ul><li>Included with most variations of UNIX </li></ul></ul><ul><li>dig command </li></ul><ul><ul><li>Included with some UNIX variants </li></ul></ul>
  15. 15. Defenses from DNS-Based Reconnaissance <ul><li>Make sure you aren’t leaking information unnecessarily through DNS servers. </li></ul><ul><li>Restrict zone transfers . </li></ul><ul><li>Use “ split DNS ” to limit the amount of DNS information about your infrastructure. </li></ul>
  16. 16. We’ve got the registrar, now what? <ul><li>Names: Complete registration information includes the administrative, technical, and billing contact names. </li></ul><ul><ul><li>An attacker can use this information to deceive people in target organization during a social engineering attack. </li></ul></ul><ul><li>Telephone numbers </li></ul><ul><ul><li>The telephone numbers associated with the contacts can be used by an attacker in war-dialing attack. </li></ul></ul>
  17. 17. We’ve got the registrar, now what? (cont.) <ul><li>Email addresses: this information will indicate to an attacker the format of email addressed used in the target organization. </li></ul><ul><ul><li>The attacker will know how to address email for any user. </li></ul></ul><ul><li>Postal addresses: </li></ul><ul><ul><li>An attacker can use this geographic information to conduct dumpster-diving exercises or social engineering. </li></ul></ul>
  18. 18. We’ve got the registrar, now what? (cont.) <ul><li>Registration dates: </li></ul><ul><ul><li>Older registration records tends to be inaccurate. </li></ul></ul><ul><ul><li>A record that hasn’t been recently updated may indicate an organization that is lax in maintaining their Internet connection. </li></ul></ul><ul><li>Name severs: </li></ul><ul><ul><li>This incredibly useful field includes the addresses for the Domain Name system servers for the target. </li></ul></ul>
  19. 19. General Purpose Reconnaissance Tools <ul><li>Sam Spade, a General-Purpose Reconnaissance Client Tool. </li></ul><ul><ul><li>One of the easiest to use and most functional integrated reconnaissance suites available today. </li></ul></ul><ul><ul><li>Runs on Windows 9X, NT, and 2000. </li></ul></ul><ul><ul><li>Available at / </li></ul></ul>
  20. 20. Sam Spade’s Capabilities <ul><li>Ping: This tool will send an ICMP Echo request message to a target to see if it is alive and determine how long it takes it to respond. </li></ul><ul><li>Whois: Conduct Whois lookups using default Whois servers, or by allowing the user to specify which Whois database to use. </li></ul><ul><li>IP Block Whois: Used to determine who owns a particular set of IP addressed, using ARIN databases. </li></ul><ul><li>Nslookup: Querying a DNS server to find domain name to IP address mapping. </li></ul><ul><li>DNS Zone Transfer: Transfers all information about a given domain from the proper name serer. </li></ul>
  21. 21. Sam Spade’s Capabilities (cont.) <ul><li>Traceroute: Return a list of router hops between the source machine and the chosen target. </li></ul><ul><li>Finger: Supports querying a system to determine its user list. </li></ul><ul><li>SMTP VRFY: Determine whether particular email addresses are valid on a giver email server. </li></ul><ul><li>Web browser: Sam Spade’s built-in mini browser lets its users view raw HTTP interaction, including all HTTP headers. </li></ul>
  22. 22. General Purpose Reconnaissance Tools (cont.) <ul><li>Other client-based reconnaissance tools similar to Sam Spade include: </li></ul><ul><ul><li>cyberKit: A freeware tool fro Windows available at </li></ul></ul><ul><ul><li>iNetScanTools: a feature-limited demonstration tool from windows and Macintosh, available at </li></ul></ul>
  23. 23. Web-Based reconnaissance tools: Research and Attack Portals <ul><li> </li></ul><ul><li> </li></ul><ul><li> / </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  24. 24. Scanning <ul><li>Scanning phase is akin to a burglar turning doorknobs and trying to open windows to find a way into your house. Common techniques include: </li></ul><ul><ul><li>War Dialing </li></ul></ul><ul><ul><li>Network Mapping </li></ul></ul><ul><ul><li>Port Scan </li></ul></ul><ul><ul><li>Vulnerability Scan </li></ul></ul>
  25. 25. War Dialing <ul><li>A war-dialing tool automates the task of dialing large pools of telephone numbers in an effort to find unprotected modems. </li></ul><ul><li>An attacker can scan in excess of a thousand telephone numbers in a single night using a single computer with a single phone line. </li></ul><ul><li>More computers and phone line make the scan even faster. </li></ul>
  26. 26. War Dialer vs. Demon Dialer <ul><li>A war dialer is a tool used to scan a large pool of numbers to find modems and other interesting lines. </li></ul><ul><li>A demon dialer is a tool used to attack just one telephone number with a modem, guessing password after password in an attempt to gain access. </li></ul><ul><li>War dialing focuses in scanning a variety of telephone numbers, while demon dialing focuses in gaining access through a single telephone number. </li></ul>
  27. 27. A Toxic Recipe: Modems, remote Access Products, and Clueless Users <ul><li>By default, many of these remote control products include no password for authentication. </li></ul><ul><li>Anyone dialing up to a system with war-dialer installed has complete control over the victim machine without providing even password. </li></ul><ul><li>We can discover modems connected to servers and routers that either request no password or have a trivial-to-guess password. </li></ul>
  28. 28. Finding Telephone Numbers to Feed into a War Dialer <ul><li>The phone book. </li></ul><ul><li>The Internet. </li></ul><ul><li>Whois databases. </li></ul><ul><li>Your organization’s Web site. </li></ul><ul><li>Social engineering. </li></ul>
  29. 29. War-Dialing Tools <ul><li>THC-Scan 2.0. </li></ul><ul><ul><li>THC-Scan is one of the most full-featured, noncommercial war dialing tool available today. </li></ul></ul><ul><ul><li>You can find it at = Downloads&d_op = search&query = </li></ul></ul><ul><li>l0pht’s TBA War-Dialing Tool </li></ul><ul><ul><li>Available at </li></ul></ul>
  30. 30. The War Dialer provides a List of Lines with Modems: Now What? <ul><li>The attacker may find systems without password. The attacker will connect to such system, look through local files, and start to scan the net work. </li></ul><ul><li>If all of the discovered systems with modems are password protected, the attacker will then sort to password guessing. </li></ul>
  31. 31. Defenses against War Dialing <ul><li>Modem policy. </li></ul><ul><li>Dial-out only? </li></ul><ul><ul><li>While this technique works quite well, some users have a business need that requires incoming dial-up modem access. </li></ul></ul><ul><li>Find your modems before the attackers do. </li></ul><ul><ul><li>Use a commercial war dialer. </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Desk-to-desk checks. </li></ul>
  32. 32. Network Mapping <ul><li>Network mapping&quot; is the effort to map </li></ul><ul><ul><li>Topology </li></ul></ul><ul><ul><ul><li>How network components are connected to each other to build up the network. </li></ul></ul></ul><ul><ul><li>Network devices </li></ul></ul><ul><ul><ul><li>Types, brands, versions etc . </li></ul></ul></ul><ul><ul><li>Computers and services </li></ul></ul><ul><ul><ul><li>Computers and their placement, vendors and models of running O.S.'s, published services </li></ul></ul></ul>
  33. 33. Common Network Mapping <ul><li>Sweeping: Finding Live Hosts. </li></ul><ul><li>Traceroute: What Are the Hops ? </li></ul>
  34. 34. Sweeping: finding Live Hosts <ul><li>ICMP </li></ul><ul><ul><li>Send an ICMP Echo Request packet to every possible address. </li></ul></ul><ul><ul><li>If a reply comes back, that address has an active machine. </li></ul></ul><ul><ul><li>But many networks block incoming ICMP messages. </li></ul></ul>
  35. 35. Sweeping: finding Live Hosts (cont.) <ul><li>TCP/UDP </li></ul><ul><ul><li>An attacker could alternatively send a TCP or UDP packet to a port that is commonly open, such as TCP port 80. </li></ul></ul><ul><ul><li>If nothing comes back, there may or may not be a machine there. </li></ul></ul>
  36. 36. Traceroute: What Are the Hops ? <ul><li>Tracerouting relies on the Time-To-Live (TTL) field in the IP header. </li></ul><ul><li>Start with a TTL of one. This process continues with incrementally higher TTLs until reach the destination. </li></ul><ul><ul><li>ICMP Time Exceeded message has the router’s IP address. </li></ul></ul><ul><li>Most UNIX varieties include a version for the traceroute program. </li></ul><ul><li>Windows NT and Windows 2000 include tracert program. </li></ul>
  37. 37. Cheops: A Nifty Network Mapper and General-Purpose Management Tool <ul><li>Available at </li></ul><ul><li>Runs Linux. </li></ul>
  38. 38. Defenses against Network Mapping <ul><li>Filter out the underlying messages that mapping tools rely on. </li></ul><ul><ul><li>At Internet gateway, block incoming ICMP messages, except to hosts that you want the public to be able to ping. </li></ul></ul><ul><li>Filter ICMP TIME Exceeded messages leaving your network to stymie an attacker using traceroute ( tracert). </li></ul>
  39. 39. Determining Open Ports Using Port Scanners <ul><li>Discover the purpose of each system and learn potential entryways into your machines by analyzing which ports are open. </li></ul><ul><li>The attacker may focus on common services like telnet, FTP, email. </li></ul><ul><li>Free port-scanning tools: </li></ul><ul><ul><li>Nmap, at . </li></ul></ul><ul><ul><li>Ultrascan. </li></ul></ul><ul><ul><li>Strobe. </li></ul></ul>
  40. 40. Nmap: A Full-Featured Port Scanning Tool <ul><li>A nice GUI for Nmap. </li></ul>
  41. 41. Common Type of Nmap Scans <ul><li>TCP Connect </li></ul><ul><li>TCP SYN Scans </li></ul><ul><li>TCP FIN, Xmas Tree, and Null Scans </li></ul><ul><li>TCP ACK Scans </li></ul><ul><li>FTP Bounce Scans </li></ul>
  42. 42. The Polite scan: TCP Connect <ul><li>Complete the TCP three-way handshake . </li></ul><ul><li>Connect scans are really easy to detect . </li></ul><ul><ul><li>The web server’s log file will indicate that a connection was opened from the attacker’s IP address. </li></ul></ul><ul><ul><li>Attackers often use stealthier scan techniques . </li></ul></ul>
  43. 43. A Little Stealthier: TCP SYN Scans <ul><li>SYN scans stop two-thirds of the way through the handshake. </li></ul><ul><li>If the target port is closed, the attacker’s system will receive either no response, a RESET packet, or an ICMP Port unreachable packet, depending on the target machine type and network architecture. </li></ul><ul><li>Benefits: </li></ul><ul><ul><li>Stealthier. A true connection never occurs. </li></ul></ul><ul><ul><li>Speed. </li></ul></ul>
  44. 44. Violate the protocol Spec: TCP FIN, Xmas Tree, and Null Scans <ul><li>A FIN packet instructs the target system that the connection should be torn down. </li></ul><ul><ul><li>A closed port should respond with a RESET. </li></ul></ul><ul><ul><li>An open port will respond nothing. </li></ul></ul><ul><li>Xmas Tree and Null scan are similar to FIN Scan. </li></ul><ul><li>Unfortunately, this technique does not work against Microsoft Windows-based systems. </li></ul>
  45. 45. Kicking the ball Past the Goalie: TCP ACK Scans
  46. 46. Obscure the Source: FTP Bounce Scans <ul><li>Some old FTP servers allow a user to connect to them and request that the server send a file to another system. </li></ul><ul><li>Attacker opens a connection to a FTP server supporting the bounce feature. </li></ul><ul><li>The attacker’s tool requests that the innocent FTP server open a connection to a given port in the target system. </li></ul><ul><li>Innocent FTP then will tell the attacker the status of the port. </li></ul>
  47. 47. Don’t Forget UDP! <ul><li>UDP does not have a three-way handshake, sequence numbers, or code bits. </li></ul><ul><li>Packets may be delivered out of order, and are not retransmitted if they are dropped. </li></ul><ul><li>False positives are common during UDP scan. </li></ul>
  48. 48. Setting Source Ports for a successful Scan <ul><li>TCP port 80 is a popular choice for a source port, as the resulting traffic will appear to be coming from a Web server using HTTP. </li></ul><ul><li>Attackers also widely use TCP source port 25, which appears to be traffic from an Internet mail server using the SMTP protocol. </li></ul><ul><li>Another interesting option involves using a TCP source port of 20, which will look like an FTP-data connection. </li></ul>
  49. 49. Defenses against port Scanning <ul><li>Harden your systems. </li></ul><ul><ul><li>Close all unused ports. </li></ul></ul><ul><ul><li>For critical systems, delete the programs associated with the unneeded service. </li></ul></ul><ul><li>Find the Openings before the Attackers Do. </li></ul><ul><ul><li>Scan your systems before an attacker does to verify all ports are closed except those that have a defined business need. </li></ul></ul><ul><li>Add Some Intelligence: Use Stateful Packet Filters or Proxies . </li></ul>
  50. 50. Vulnerability Scanning Tools <ul><li>A vulnerability-scanning tool will automatically check for the following types of vulnerabilities on the target system: </li></ul><ul><ul><li>Common configuration errors: Numerous systems have poor configuration settings, leaving various openings for an attacker to gain access. </li></ul></ul><ul><ul><li>Default configuration weaknesses: default accounts and passwords. </li></ul></ul><ul><ul><li>Well-known system vulnerabilities: new security holes are discovered and published. </li></ul></ul>
  51. 51. Vulnerability Scanning Defenses <ul><li>Again, close all unused ports and apply patches to your systems. </li></ul><ul><li>Run the Tools against Your Own Networks. </li></ul><ul><ul><li>Use any one of the free or commercial tools. </li></ul></ul><ul><ul><li>Be careful with denial-of-Service and Password Guessing Tests . </li></ul></ul><ul><ul><ul><li>You could damage your systems if you misconfigure the tools. </li></ul></ul></ul><ul><ul><ul><li>Be sure to disable Denial-of-Service attacks, unless you specifically want them. </li></ul></ul></ul><ul><ul><ul><li>Password-guessing may lock out legitimate users. </li></ul></ul></ul>
  52. 52. Vulnerability Scanning Defenses <ul><li>Be aware of Limitations of Vulnerability Scanning Tools. </li></ul><ul><ul><li>These tools only check for vulnerabilities that they know about. </li></ul></ul><ul><ul><ul><li>You must be sure to keep the vulnerability database up to date. </li></ul></ul></ul><ul><ul><li>These tools don’t really understand the network architecture. </li></ul></ul>
  53. 53. Intrusion Detection System <ul><li>All of the scanning tools are incredibly noisy. </li></ul><ul><ul><li>A robust vulnerability scan could send hundreds of thousands or millions of packets to the target network. </li></ul></ul><ul><li>A network-based IDS captures all data on the LAN, gathering packets associated with normal use of the network and attacks alike. </li></ul><ul><li>By matching attack signatures in their database, IDSs detect attacks. </li></ul>
  54. 54. Evade Network-Based Intrusion Detection Systems <ul><li>Mess with the appearance of traffic so it doesn’t match the signature. </li></ul><ul><ul><li>Detection is based on signature matching, the attackers can work hard to make sure their attacks don’t look like the signatures checked by the IDS. </li></ul></ul>
  55. 55. IDS Evasion at the Network Level <ul><li>A large IP packet is broken down into a series of fragments, each with its own IP header. To detect attaches, IDS needs to store, reassemble and analyze all of these fragments. </li></ul><ul><li>Use fragments: Older IDS cannot handle fragment resemble. </li></ul><ul><li>Send a flood of fragments: tie up all of the memory capacity of the IDS systems. </li></ul><ul><li>Fragment the packets in unexpected ways: fragment the packets in a variety of unusual ways. </li></ul>
  56. 56. IDS Evasion Defenses <ul><li>Don’t despair: Utilize IDS Where appropriate. </li></ul><ul><li>Keep the IDS System up to date. </li></ul><ul><li>Utilize both Host-Based and Network-Based IDS. </li></ul><ul><ul><li>A network-base IDS listens to the network looking for attacks. </li></ul></ul><ul><ul><li>A host-based IDS run on the end system that is under attack. </li></ul></ul>
  57. 57. References <ul><li>Counter Hack, Ed Skoudis,Prentice-Hall,Inc. NJ, 2002 </li></ul><ul><li>Hacking Exposed, McClure, Scambray, Kurtz, McGrawHill, Chicago, 2001 </li></ul><ul><li>http:// </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  58. 58. References (cont.) <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>,,sid7_gci214184,00.html </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>