COUNTER HACK

1
COUNTER HACK

• Chapter 6 Scanning

Information Networking Security and Assurance LAB
Department of Communication Engineering
National Chung Cheng University Chia-Yi, Taiwan
, ROC
Mike
2
Network Mapping

• Focus on IP-based computer systems.
• Map out your network infrastructure.
• Mapping and scanning your Internet gateway,
  including DMZ systems, such as Web, mail, FTP,
  and DNS sever.
• Mapping and scanning your internal network.

Server
Server
Server
INTERNET
INTERNALNETWORK?
BORDERROUTER?
Firewall?
Firewall?
BORDERROUTER?
Server
3
Network Mapping Techniques

• Finding live hosts
• Tracing your network topology

4
Finding Live Hosts

• ICMP ping
• Ping all possible addresses to determine which
  ones have active hosts
• Ping, using an ICMP Echo Request packet

ICMP packet
ICMP Echo Request packet
Attacker
Victim
5
Traceroute

• Tracerouting relies on the Time-To-Live(TTL)
• If the TTL is zero,the router sends back an ICMP
  Time Exceeded message to the originator.

6
Traceroute
7
Cheops

• Developing a network inventory and topology using
  ping and traceroute
• Runs on Linux

8
Defenses against Network Mapping

• Filter
• Firewalls and packet-filtering capabilities of
  your routers
• Stop ICMP Time Exceeded messages leaving your
  network

9
Using port scanners

• Analyzing which ports are open
• To know the addresses of live system
• Have the basic understanding of your network
• TCP/IP stack has 65,535 TCP/UDP ports
• RFC 1700, Assigned Numbers

10
Using port scanners

• Ports like doors on each of machines
• Port scan knock on each door to see if anyone is
  listening behind it
• Someone behind the door, get a response
• No one behind the door, no answer back

11
Free port-scanning tools

• Nmap ( www.insecure.org/Nmap)
• Strobe (packetstorm.securify.com/UNIX/scanners/)
• Ultrascan, a Windows NT port scanner,
  (packetstorm.securify.com/UNIX/scanners)

12
Nmap

• What type of packets does the scanning system
  send
• TCP Connect, TCP SYN, TCP FIN,
• Some types could cause the target system to
  become flooded or even crash

13
Types of Nmap Scans

• Legitimate TCP connections established using a
  three-way handshake

SYN with ISNA
ACK ISNA and SYN with ISNB
ACK ISNB
Connection
Attacker
Victim
14
TCP ACK Scans
15
TCP ACK Scans
PacketFilterDevice
ACK dest port 1024
ACK dest port 1025
ACK dest port 1026
RESET
Aha! I know port 1026 isopen through the firewall
INTERNALNETWORK
EXTERNALNETWORK
16
FTP Bounce Scans
FTP Serversupporting FTPforwarding
FTP Control Connection
open data connectionto send file to victimon
port 1.port 2etc.,etc.
Victimto be scanned
17
How to avoid FTP Bounce Scans

• Make sure that your FTP sever does not support
  this bounce capability
• Checking your FTP sever (www.cert.org/advisories/C
  A-1997-27.html)

18
Standard FTP Control and Data Connections

• Active type

Internal FTP Client
External FTP Server
Standard FTP Control and Data Connections
19
FTP Bounce Scans

• Makes standard FTP harder for router and
  firewalls to handle.

Duh Ill let in thatincoming FTP
dataconnection.
FIREWALL
Src port 20Dst port 1024
Src port 20Dst port 1025
Src port 20Dst port 1026
Client
Server
Data Connections
20
Defenses against Port Scanning

• Harden your system
• Close all unused ports.
• Minimizes all services and tools installed.
• Find the openings before the attackers do
• Stateful inspection
• Remembers all outgoing SYNs in a connection table
• Check incoming packets against ACK scans.

21
How Firewalk Works
Firewalk discovery phase counts the number of
hops to the firewall
22
Determining Firewall Filter Rules with Firewalk
External IP 10.1.1.1
PacketFilterFirewall
ROUTER
ATTACKER
ROUTER
TCP port 1, TTL 4
TCP port 2, TTL 4
TCP port 3, TTL 4
Aha! TCP port 3 is unfiltered!
Time exceeded
Firewalk scanning phase determines open ports
through the firewall
23
Firewalk Defenses

• Configured with a minimum set of ports allowed
  through it.

24
Firewalk Defenses

• To replace packet-filtering devices with
  proxy-based firewalls(proxies do not transmit TTL
  information)
• Drawback Lower performance
• By filtering out ICMP Time Exceed message leaving
  your network
• Drawback normal user and network administrators
  will not be able to traceroute

25
Vulnerability Scanning

• Whats vulnerability scanner
• Types of vulnerabilities
• Common configuration errors.
• Default configuration weaknesses.
• Well-known system vulnerabilities.

26
Vulnerability Scanner
A generic vulnerability scanner
27
The Nessus Architecture

• Client-server architecture
• Client user configuration tool and a results
  repository/report generation tool.
• Server vulnerabilities database, a knowledge
  base of the current active scan, and a scanning
  engine.

28
The Nessus Architecture

• Supports strong authentication, based on public
  key encryption.
• Supports strong encryption based on the twofish
  and ripemd algorithms.
• The most common use running on a single machine.

29
Vulnerability Scanning Defense

• Close unused ports
• Keep systems patched
• Run the tools against your networks
• Be careful with DoS(Denial-to-Server) and
  Password Guessing tests!
• Be aware of limitations of vulnerability scanning
  tools.

30
Intrusion Detection System(IDS)

• All the scanning tools are noisy
• Tools can be detected by a network-based
  intrusion detection system (IDS)
• IDS listen for attacks and warn administrators of
  the attackers activities

31
How Intrusion Detection Systems Work

• Captures all data on the LAN.
• Sortthrough this data to determine if an actual
  attack is underway.
• Have a database of attack signatures.
• Match attack signatures in their database.
• When attacks discovered, the IDS will warn the
  administrator.

32
A Network-Based Intrusion Detection System
33
IDS Evasion at the Network Level

• Fragment packets
• IDS must reassemble packets. However, different
  target systems have various inconsistencies in
  the way they handle fragments
• Just use fragments
• Send a flood of fragments
• Fragment the packets in unexpected ways

34
The tiny fragment attack
Looks goodto me
NETWORKIDSPROBE
Fragment 1Part of TCP Header
NETWORK
Fragment 2Rest of TCP Headerwith port number
ATTACKER
PROTECTEDSERVER
35
A fragment overlap attack
Looks goodto me
NETWORKIDSPROBE
Fragment 1Part of TCP packetfor port 80
NETWORK
Fragment 2My offset is xyz. Datacontains part
of TCPHeader with port 23
ATTACKER
PROTECTEDSERVER
36
Using FragRouter to evade IDS detection
Looks goodto me
NETWORKIDSPROBE
Attackpackets
Attackfragments
ATTACKSYSTEM
VICTIM
FRAGROUTER
37
Some of the Many Fragmentation Options Offered by
FragRouter
Name Flag How the packets are mangled
frag-1 -F1 Send data in ordered 8-byte IP fragments
frag-2 -F2 Send data in ordered 24-byte IP fragments
frag-3 -F3 Send data in ordered 8-byte IP fragments, with one fragment sent out of order
tcp-1 -T1 Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte segments
tcp-5 -T5 Complete TCP handshake, send data in ordered 2-byte segments, preceding each segment with a 1-byte null data segment that overlaps the latter half of it. This amounts to the forward-overlapping 2-byte segment rewriting the null data back to the real attack.
tcp-7 -T7 Complete TCP handshake, send data in ordered 1-byte segments interleaved with 1-byte null segments for the same connection but with drastically different sequence numbers.
38
IDS Evasion Defenses

• Keep the IDS system up to Date
• Utilize Both Host-Based and Network-Based IDS

39
Referense

• Firewalkhttp//www.packetfactory.net/Firewalk/fir
  ewalk-final.html
• Nessuswww.nessus.org

40
Vulnerability Assessment tool
41
Description

• Nessus is a free, open source vulnerability
  scanner that provide a view of your networks as
  seen by outsiders.

42
Description

• Nessus also provide many kinds of detailed report
  that identifies the vulnerabilities and the
  critical issues that need to be corrected.
• Nessus Features
• Plugin-based
• Exportable report

43
Structure
44
Step (I) install nessus

• Some way to install
• lynx -source http//install.nessus.org sh
• dangerous
• sh nessus-installer.sh
• Easy and less dangerous

45
Step (II) create nessusd account
add the client users account
The authentication method by password check
Edit users right
46
Step (III) create nessusd account
The authentication method by key change
The key information of user
47
Step (V) Nessus client configuration
The nessusd servers address
The open port number of nessusd
Login user name
User password
Click on Log in
48
The scan range
Avoid the detection by IDS
Choice the scan tools
49
Input the targets address
50
Nessus information
Start the scan
51
the scan process
Scanning
52
The export of the data(I)
The targets open port
The resource of this security include know-how
and the solution
53
The export of the data(II)
Report in html with graphs
Warning information
54
Summary

• Nessus is a powerful vulnerability assessment and
  port scanner

55
Reference

• Nessus
• http//www.nessus.org