4. military preattack strategies to the preattack exercises carried
out by professional
hackers and penetration testers, or “pentesters.”
Step 1
Military officers conduct scouting to collect information about
their targets before an
attack. Their goals are to make sure the enemy does not see
them coming and to collect
as much data as possible about the enemy, so that the attack is
effective.
Step 2
Reconnaissance is another word for scouting. The U.S. Army's
reconnaissance and
surveillance course trains military personnel in surveillance and
target acquisition. In
reconnaissance, the armed forces research a target to plan the
exact point of contact
with that target.
Step 3
Reconnaissance, however, is not limited to warfare. It is a tactic
used by ordinary people
in everyday life. Hackers, for instance, who want to attack a
particular network or
computer system, perform reconnaissance to learn more about
the target.
Just as soldiers might monitor enemy troops from a distance as
part of a reconnaissance
exercise, hackers might observe activity on a target Web site as
part of their
reconnaissance. The goal remains the same for both: to study
the target and move in
precisely, not randomly.
9. Groups and Forums
Many users share information about the vulnerabilities of their
systems and ask for
solutions or answer queries posed by other users. Hackers use
such forums to gather
information about target systems and find vulnerabilities in the
systems.
Social Engineering Techniques
Social engineering is the art of tricking people into giving out
classified data. A common
social engineering technique that hackers use is joining chat
rooms their targets might
use. In these chat rooms, hackers are able to start conversations
through which they can
extract valuable data from targets.
Vulnerability Research Sites
Hackers visit vulnerability research Web sites such as
www.securityfocus.com or
www.hackerstorm.com for the latest attack tools and techniques.
People-Search Sites
To find information such as names of a system administrator,
security engineer, or
network engineer of a target company, hackers visit people-
search Web sites such as
people.yahoo.com or www.peoplefinder.com.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
CSEC
11. DNS and obtain
registered information, such as the domain ownership, address,
location, and phone
number.
NSLookup
The NSLookup tool allows anyone to query a DNS server for
information such as host
names and IP addresses. Using the NSLookup tool, a hacker can
perform a DNS zone
transfer and gather a great deal of information about the target.
ARIN (www.arin.net)
The American Registry for Internet Numbers (ARIN) is one of
five worldwide regional
Internet registries (RIR). ARIN oversees public IP addresses for
North America. Hackers
query ARIN to identify the range of IP addresses their target
network uses.
ARIN allows hackers to:
-type searches on its database to locate
information about network-
related handles, subnet masks, and related points of contact
(POC).
y an IP address to help identify how IP addresses are
assigned. For example, a
hacker can enter the Web server IP address of a target network
into the ARIN Web
site, www.arin.net, using Whois to identify the number and the
range of IP addresses
in use.
14. Introduction
Krista Le Saad is a popular gray hat hacker known for her
reconnaissance skills. She
has been given an assignment to find out the IP address of the
administrative system
managing an online bookstore called www.largobooks.com. The
assignment has been
delegated to Krista by a penetration tester, Sean Stasis.
Sean works for a leading IT security firm and needs to find the
loopholes and
vulnerabilities in www.largobooks.com's network. He often
outsources such
assignments to young aspiring hackers. Sean's team is ready to
begin fixing patches on
all vulnerabilities once he gets the results from Krista's
inquiries.
Krista has been given 24 hours to hack into
www.largobooks.com. To meet that
deadline, Krista needs your help. In this activity, you will be
asked to perform three
active reconnaissance steps. You will use tools, commands, and
Web sites, such
as FindRecord and NSLookup, to locate the DNS and IP address
and perform a
zone transfer.
Workspace
To help Krista find the IP address of www.largobooks.com’s
administrative system,
perform the following three steps:
DNS.
24. devices, and open ports or services. There are various types of
scanning, such as IP
scanning, port scanning, and vulnerability scanning.
Sometimes, it is not easy to differentiate between the three
preattack phases—
reconnaissance, scanning, and enumeration. Many of the same
information-gathering
techniques are used across these phases. For example, port
scanning can be
considered a part of reconnaissance or a part of the scanning
phase.
Types of Scanning
IP scanning is a technique that can be used to identify the live
systems connected to
a network segment or IP range.
Port scanning is the process of scanning a host to determine
which Transmission
Control Protocol ports (TCPs) or User Datagram Protocol ports
(UDPs) are
accessible.
Vulnerability scanning is the process of automatically assessing
networks or
applications for vulnerabilities.
31. FIN scan unreliable.
ACK Scan
Attackers use ACK scanning to learn which firewall ports are
filtered and which are
unfiltered.
Scenario 1
An attacker sends an ACK packet to the target port’s firewall.
If there is no response or an “ICMP destination unreachable”
message is returned, then
the port is considered to be filtered.
This means that the firewall is stateful. It knows that no internal
host has initiated any
SYN packet that matches the ACK packet sent by the attacker.
Scenario 2
If the target’s firewall returns an RST, then the port is
unfiltered. Because there is no
firewall rule for that port, the attacker knows that the port is
vulnerable.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
CSEC
640
34. Quiz
Jorge, a black hat hacker, is launching a port-scanning attack on
a Web server with an
IP address of 192.168.195.128.
Question 1: In the packets numbered 9–19, which type of port
scanning is used to
attack the Web server?
a. Xmas tree scan
b. FIN scan
c. SYN stealth scan
Reference: Wireshark product screenshot reprinted with
permission from the Wireshark Foundation.
Correct answer: Option c
Feedback:
If you look at packets 15 and 16, the SYN and SYN+ACK
packets are exchanged by the
attacker and Web server. However, no ACK is sent from the
attacker’s host. Instead, the
attacker sends a new SYN packet to the Web server. This new
SYN packet clearly
indicates that this is an SYN stealth scan.
39. The attacker enters the
Nmap command Nmap –sS –p T:1-1023 –O –v –Pn
192.168.195.128 to specify that
the TCP stealth scan is performed with a port range of 1 through
1023 on the host IP
192.168.195.128.
3. OS Switch
The attacker enables the -O switch to attempt to determine the
operating system.
4. Ping
The attacker specifies -Pn, which means that ping is not used.
5. OS Details
Note that the operating system is Microsoft Windows XP 2003
or Microsoft XP
Professional SP2.
6. Result
The results show that the host server with an IP address of
192.168.195.128 has
ports 80, 135, 139, 443, and 445 open and uses Microsoft
Windows XP 2003 as its
operating system.
41. The attacker types the command telnet www.umuc.edu 80 to
connect to the Web
server www.umuc.edu.
2. HEAD
Then, the attacker types HEAD / HTTP/1.0 to send an HTTP
request to the Web
server.
3. Apache X
The telnet output displays the content of the HTTP response
header received from
the UMUC Web server. The HTTP header shows that the type of
Web server is
Apache powered by PHP.
4. Malformed HTTP Packet
Using another telnet connection—telnet www.umuc.edu—the
attacker sends a
malformed HTTP packet to the Web server, which is an invalid
input as HTTP 3.0 is
not available. The attacker sends a malformed packet because
some targets do not
show any useful information if they are given a valid input.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
43. We have come to the end of Module 2. The key concepts
covered in this module are
listed below.
to study the target they
plan to attack. The first three phases of this preattack exercise—
reconnaissance,
scanning, and enumeration—are the most critical.
and active
reconnaissance. During passive reconnaissance, hackers
research open-source
sites and groups and forums, as well as social engineering sites
to gather
nontechnical data about their targets. During active
reconnaissance, hackers use
technical tools such as Whois, NSLookup, the American
Registry for Internet
Numbers (ARIN), Domain Information Groper (DIG), and
Traceroute to find their
targets’ IP addresses.
hackers are able to find out
the domain name, administrative contact, technical contact, and
name servers of
their target. The IP address of the domain name server is not
revealed until hackers
type the NSLookup command and perform a zone transfer.
44. live systems,
devices, and open ports in their network. There are three types
of scanning: IP, port,
and vulnerability scanning.
network. Port scanning is
used to find accessible Transmission Control Protocol (TCP)
and User Datagram
Protocol (UDP) ports. Vulnerability scanning is used to assess
networks for
vulnerabilities.
Port scans that help
hackers obtain data—TCP connect scans, SYN scans, NULL
scans, ACK scans, FIN
scans, and Xmas tree scans—can be performed as horizontal or
vertical scans.
-mapping utility that
determines which hosts are
available on the network and lists the services those hosts offer.
With Nmap, a
system administrator can perform many types of port scans.
46. ACK scanning is a type of port scan that tells whether ports
on a firewall are filtered or unfiltered. If the target’s firewall
returns an RST, then the port is unfiltered and vulnerable.
American Registry for
Internet Numbers
The American Registry for Internet Numbers (ARIN) is the
IP address registry for North America. ARIN allows Whois-
type searches on its database to locate information on
networks.
Domain Information
Groper
The DIG command allows attackers to search the DNS
database and find the open name servers attached to a
domain.
Domain Name Service The Domain Name Service (DNS)
translates Internet
domain names, such as www.xyz.com, into Internet
Protocol (IP) addresses.
Domain Name System Domain Name System is an Internet
system that associates
domain names with IP addresses, allowing computers to
communicate over the World Wide Web.
Enumeration Enumeration is the third phase in a hacker’s
preattack
exercise. Hackers use enumeration techniques to learn
technical data—operating systems and user accounts—
about a network system.
47. FIN Scan
The FIN (finish) scan is a type of port scan that is able to
pass through firewalls. Open ports don’t respond, but
closed ports respond with an RST.
Footprinting A method of processing or gathering information
about a
target system.
Internet Control
Message Protocol
The Internet Control Message Protocol (ICMP) integrates
with the Internet Protocol (IP). It reports error, control, and
informational messages between a host and a gateway.
Nmap The Nmap security scanner is used to discover hosts and
services on a network. Based on the network conditions, it
sends packets with specific information to the target host
and evaluates the responses to create a network map.
NSLookup The NSLookup tool queries a DNS server and
performs a
DNS zone transfer to gather data on a targeted network.
NULL Scan
A NULL scan is a type of port scan in which an attacker
sends a data packet without any flag set. If the packet is
open, the target host ignores the packet.
49. RFC 793 RFC (Request for Comments) 793 is a document
which
describes the DoD Standard Transmission Control Protocol
(TCP).
Scanning Scanning is the second preattack phase used by
hackers to
discover live systems, devices, and open ports on a
network. Hackers perform three types of scanning: IP, port,
and vulnerability scanning.
Social Engineering Social engineering is a method of gathering
information,
seeking computer access, or committing fraud by using
manipulation and deceit to get people to reveal confidential
information about themselves or an organization.
SYN Scan
In an SYN stealth scan, the attacker sends an initial SYN
packet to the target. If the port is open, the target responds
with an SYN/ACK.
TCP/IP Transmission Control Protocol/Internet Protocol
(TCP/IP) is
the communication protocol suite for the Internet.
TCP Connect Scan
In a TCP connect scan, an attacker tries to establish a
connection on a port of the target system by a three-way
handshake. The attacker knows the target port is open if the
connection is successfully established.
54. vehicles along roads and highways,
computer networks use their own traffic guidance systems. On a
computer network, traffic is
handled using routers and switches that ensure the secure and
efficient exchange of data.
Consider an analogy comparing vehicle traffic with data traffic.
Managing Network Traffic
Slide 1
Imagine you are driving and you come to an intersection with
four stop signs. It takes a while to
cross because everyone has to take turns, and there can be
confusion.
Now imagine what the traffic would be like if there were an
overpass, where one of the roads
went over the other. That way, no one would have to stop. This
model of an overpass is a
simplified way to think of a switch.
Slide 2
A switch does the same thing as a hub and a bridge, but more
effectively.
A switch lets you add computers to your network and makes
virtual connections between
computers that need to "talk" to each other. As soon as the
computers have finished talking to
each other, the virtual connection is broken. Breaking the
connection right away eliminates
collisions in network traffic.
The only shortcoming of a switch is that it will not keep a
broadcast from tying up the
communication lines. When one computer needs to find the
55. address of another computer, it
sends out a broadcast over the whole network to find the
address. Each computer in the
network receives the broadcast and “looks” to see if it is the
intended recipient.
The broadcast can occupy the network because none of the other
computers can send a
message while it is taking place. Routers solve this problem.
Slide 3
Routers do everything that a switch does, but they use a
different method to address the
packets of information—they use IP addresses. A router acts
like a post office. It decides the
best route that a packet can take to get to different networks.
A router can divide your network into different subnetworks and
contain a broadcast within a
smaller area so that the whole network does not need to receive
the broadcast. The router
keeps your resources from being tied up with unnecessary
network traffic jams.
This process is like taking a city—that is, your network—and
dividing it into neighborhoods.
When the residents in one locality want to publicize a
neighborhood watch meeting, they can tell
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
CSEC 640
60. Initially, the MAC table of a switch is empty; the switch does
not know the MAC address of a
PC, printer, or any other attached device. Consider the
following example: a LAN consists of
Host A with a MAC address of AAAA, Host B with a MAC
address of BBBB, Host C with a MAC
address of CCCC, and a switch.
Note that in the real world, MAC addresses are 48 bits long; the
addresses used here are
shortened to simplify the example. Hosts A, B, and C are
connected to the first, second, and
third Ethernet ports, Fa0/1, Fa0/2, and Fa0/3, respectively.
Assume that the switch’s MAC table
can hold only two entries. In reality, MAC tables have much
larger capacities.
Example
Step 1
Initially, the MAC table is empty. A frame originating from
Host A arrives at the first Ethernet port
on the switch (Fa 0/1). Host A wants to communicate with a
host whose MAC address is BBBB,
the destination address in the frame.
The switch inspects the source MAC address to determine
whether there is already an existing
entry in the table. Since the MAC table is empty, a new entry is
made that records the source
MAC address and the port number. By recording these details in
the MAC table, the switch
specifies where to send a frame when it needs to be sent to the
source MAC address.
67. Activity
You will now be presented with a few questions based on Layer
2 and MAC attacks.
Question 1: On what basis do Layer 2 devices such as switches
route Ethernet frames?
a. Layer 2 devices route Ethernet frames based on IP addresses.
b. Layer 2 devices route Ethernet frames based on MAC
addresses.
c. Layer 2 devices route Ethernet frames based on the IP
address table.
Correct answer: Option b
Feedback:
Layer 2 devices such as switches route Ethernet frames based on
the source and destination
MAC addresses. A switch relies on a MAC table to forward a
frame to a destination MAC
address, just as a router uses a routing table to forward an IP
packet to a destination IP
address.
Question 2: Which of the following scenarios describes
unknown unicast flooding?
a. A switch flooding an Ethernet frame on all active ports when
it cannot locate a source MAC
address
b. A switch attempting to make additional entries in a MAC
table that is at capacity
c. A switch flooding an Ethernet frame on all active ports when
it cannot locate a destination
68. MAC address
d. Ethernet frames being sent without a destination MAC
address
Correct answer: Option c
Feedback:
In unknown unicast flooding, when a switch cannot locate a
particular destination MAC address,
it will simply flood an Ethernet frame on all active ports,
hoping that the frame will reach the
destination host.
Question 3: Which of the following statements describes a MAC
flooding attack?
a. An attacker tries to create a permanently full MAC table that
will force a switch to flood traffic
on all active ports.
b. An attacker attempts to inject fake or misleading MAC
addresses into a MAC table.
c. An attacker generates a fake frame by entering the victim’s
MAC address in the source field
of the fake frame.
Correct answer: Option a
Feedback:
In a MAC flooding attack, an attacker tries to create a
permanently full MAC table that forces the
switch to flood all traffic on all active ports. The attack is
launched from one of the ports on a
LAN so all communication taking place on that LAN is visible
to the attacker. This visibility
enables the attacker to monitor all frames passed through the
71. Address Resolution Protocol
Address Resolution Protocol (ARP) is a protocol used to find
the MAC address of a host when
the IP address of the host is known.
How Does ARP Work?
Consider an example to see how ARP works.
Assume that Host A, with the IP address 192.168.1.1/24, needs
to send a frame to a destination
host with the IP address of 192.168.1.3/24.
To send the frame, Host A needs to know the MAC address of
the destination host. By
comparing its own IP address with the destination host’s IP
address, Host A knows that the
destination host is part of the same LAN as itself.
Host A sends an Ethernet broadcast frame. Note that the
standard address for Ethernet
broadcasts is FFFF.FFFF.FFFF.
Upon receiving the broadcast frame, the switch floods the frame
on all ports in the LAN, and all
the hosts in the LAN receive this broadcast frame. This
broadcast frame is known as an ARP
request.
Host B and Host C receive the ARP request from Host A. Host
C sends a solicited ARP reply to
Host A. The ARP reply contains Host C’s MAC address and IP
address.
73. Topic 5: Layer 2: Address Resolution Protocol Exploitation
ARP Spoofing Attacks
An ARP spoofing attack, also known as ARP poisoning, enables
an attacker to sniff out all IP
packets sent to the target host. Consider an example of how an
ARP spoofing attack is carried
out.
Step 1
The attack is initiated by a host with the IP address 192.168.1.2.
The attacker’s host machine
sends a fake Gratuitous ARP to Host A. The fake Gratuitous
ARP tells Host A that 192.168.1.3
is tied to the MAC address of BBBB. Note that 192.168.1.3 is
actually tied to Host C, not the
attacker. Upon receiving the ARP request, Host A adds a new
entry to its ARP table, correlating
the MAC address BBBB with the IP address 192.168.1.3.
Step 2
As seen with the frame sent by Host A, all the IP packets
intended for Host C are sent to the
attacker’s MAC address. This is because Host A believes that
Host C’s MAC address is BBBB,
which is actually the attacker’s MAC address.
76. 1. AAAA Fa 0/1
2. BBBB Fa 0/2
b.
MAC Address Interface
1. BBBB Fa 0/2
2. AAAA Fa 0/1
c.
MAC Address Interface
1. BBBB Fa 0/2
2. CCCC Fa 0/3
Correct answer: Option b
Feedback:
The source MAC address of the Gratuitous ARP frame sent to
Host A is BBBB. This frame
originates from the attacker’s host and is forwarded to switch
port Fa0/2. Therefore, the first line
in the MAC table is filled with BBBB as the MAC address and
Fa0/2 as the interface.
When Host A sends an IP packet intended for Host C (Step1 in
Diagram B), the source MAC
address of the frame is AAAA and that frame is sent to switch
port Fa 0/1. As a result, the
second line of the MAC table contains AAAA as the MAC
address and Fa 0/1 as the interface.
79. Introduction
Dynamic routing protocols such as Routing Information
Protocol (RIP), Open Shortest Path First
(OSPF), and Enhanced Interior Gateway Routing Protocol
(EIGRP) help determine the path of a
packet through a network without having to manually configure
it.
Routers build routing tables by exchanging routing information
with each other. When a packet
arrives at a router, it routes the packet based on this table.
Attackers try to inject bogus entries
into routing tables in an attempt to compromise network
stability. If a routing table is inaccurate,
packets could end up being dropped as they are routed to invalid
destinations. This significantly
decreases the stability of the network.
Example: Routing Table Modification
As seen in this diagram, if a router uses the RIP version 1
routing protocol that does not
implement authentication or is not correctly configured, an
attacker can send false routing
update packets to contaminate the routing table.
Without security measures in place, routers send routing
updates in clear text. This enables an
attacker to masquerade as a trusted neighbor, send a bogus
routing update, and pollute the
routing table.
83. Routing Table Analysis
A routing table contains multiple rows. Each row contains at
least two fields: a destination
address and the name of the interface where the IP packet
should be routed, or the IP address
of another router that will carry the IP packet on its next step
through the network.
For example, consider the routing table of Router B. We can
interpret the line starting with R in
the routing table as “to reach the destination network
172.16.0.0, which is a network behind
Router A, a packet must be forwarded to the interface
10.10.10.1 of Router A.”
To build a routing table, routers must exchange their routing
information with their neighboring
routers. In this example, Router A has only one network,
172.16.0.0/24, attached to itself.
Therefore, when Router A sends its routing update to Router B,
this network address,
172.16.0.0/24, must be included in the update payload.
In addition, when RIP version 2 is configured to support MD5
authentication, a keyed hash (also
called keyed message digest) is also included in Router A’s
routing update, along with the
routing update payload, which is clear text.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
CSEC 640
89. covered in this module are listed
below.
network (LANs). IEEE 802.3
Ethernet is the most predominant LAN standard.
source and destination IP
addresses. Layer 2 devices, such as switches, route an Ethernet
frame based on the
source and destination MAC addresses.
full MAC table that forces
the switch to flood all traffic on all active ports.
the MAC address of a victim
host by launching a MAC flooding attack on a LAN. The
attacker can then generate a
fake frame by putting the victim’s MAC address in the source
field of the fake frame. The
switch receives the fake frame from the attacker’s host and
updates its MAC table
accordingly.
the MAC address of a host,
given that its IP address is known.
91. Term Definition
Address Resolution
Protocol (ARP)
Address Resolution Protocol (ARP) is a protocol used to
find the MAC address of a host when the IP address of the
host is known.
ARP Spoofing Attack An ARP spoofing attack is also known as
ARP poisoning.
The goal of such an attack is to enable the attacker to sniff
out all IP packets sent to the target host.
Content Addressable
Memory (CAM) Table
A switch relies on a forwarding table to forward a frame to a
destination MAC address. The forwarding table is called a
MAC address table or a content addressable memory
(CAM) table.
Denial of Service (DoS) DoS attacks flood a target site with
large volumes of traffic
using “zombie” servers. This flood of traffic consumes all of
the target site’s network or system resources and denies
access to legitimate users.
Dynamic Host
Configuration Protocol
(DHCP)
DHCP enables servers to distribute Internet Protocol (IP)
addresses and configuration data to clients in a network.
92. Domain Name System
(DNS)
The DNS translates Internet domain names such as
www.xyz.com into Internet Protocol (IP) addresses.
Enhanced Interior
Gateway Routing
Protocol (EIGRP)
EIGRP is an interior gateway protocol that enables efficient
exchange of routing updates between routers.
Ethernet Ethernet is a group of Layer 2 protocols for local area
network (LANs). IEEE 802.3 Ethernet is the most
predominant LAN standard. Usually, the term Ethernet is
used to signify IEEE 802.3.
Ettercap Ettercap is a network tool for carrying out man-in-the-
middle
attacks on a LAN.
Hypertext Transfer
Protocol (HTTP)
HTTP transmits Web pages to clients.
Media Access Control
(MAC) Address
A network interface card (NIC) has a unique address called
a Media Access Control (MAC) address. MAC addresses
are 48-bit long unique identifiers written into hardware
devices by their manufacturers. These addresses are
94. routing messages from unknown sources. All dynamic
routing protocols except RIP version 1 implement MD5
authentication.
Network Interface Card
(NIC)
A network interface card is a piece of hardware that is used
to connect a computer to a network.
Open Shortest Path First
(OSPF)
OSPF is a dynamic routing protocol that enables routers to
share routes with other routers.
Port Security Port security ties a given MAC address to a port
by
preventing any MAC addresses other than the
preconfigured ones from showing up on a secure port.
Routing Information
Protocol (RIP)
RIP is a dynamic routing protocol used by local area
homogenous networks to ensure that all hosts in the
network share the same routing path data.
Routing Table
Modification
Routing table modification, also known as a rerouting
attack, is a common vulnerability unique to routers. This
attack involves manipulating router updates to route traffic
to unwanted destinations.
95. Unicast Flood Protection The unicast flood protection feature
allows a system
administrator to set a limit on the number of unicast floods.
When flood protection detects unknown unicast floods
exceeding the predefined limit, it sends an alert and shuts
down the port that is generating the floods.
Yersinia Yersinia is a network tool designed to exploit
weaknesses in
LAN-based network protocols.
Discuss/describe one or more LAN based attacks (also known as
layer 2 attacks or lower layer attacks) which are not covered in
the Module 3, or share any additional thoughts you may have
on LAN based attacks covered in Module 3
Discuss/describe the port scanning and/or enumeration
techniques (attacks) not covered in Module 2. How can the
attacks you have described be detected and prevented?