Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Parallel port wikipedia , lookup
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Updated 11/7/2016 - jw Objectives Describe port scanning Describe different types of port scans Describe various port-scanning tools Explain what ping sweeps are used for Explain how packet generation works 2 Introduction to Port Scanning Port Scanning Determine which applications/ services are offered by a host Identifies vulnerabilities Open services can be used on attacks Identify a vulnerable port Launch an exploit Scan all ports when testing Not just well-known ports 3 Angry IP Port Scanner 4 Introduction to Port Scanning (continued) Port scanning programs report Open ports Closed ports Filtered ports Best-guess assessment of which OS is running 5 Port Scanning Artifacts IDS/IPS alerts referencing port/protocol scans. Firewall logs showing blocked attempts to access large number of ports, in close sequence, on single host, in short time TCP session initiated to IP address, immediately terminated, not followed by additional communication, observable in firewall log TCP session only half set up then abandoned, potentially observable in firewall log 6 Is Port Scanning Legal? The legal status of port scanning is unclear If you have permission, it's legal If you cause damage of $5,000 or more, it may be illegal For more info, see links: http://www.securityfocus.com/news/126 https://www.sans.org/readingroom/whitepapers/legal/ethics-legality-portscanning-71 7 Using Port-Scanning Tools Port-scanning tools Hundreds available Not all are accurate Be familiar with a variety of tools Practice often to gain proficiency Do not use one tool exclusively Some tools include: Nmap Nessus and OpenVAS 8 Nmap 9 Nmap Originally written for Phrack magazine One of the most popular tools GUI versions ZenMap, Xnmap and Ubuntu's NmapFE Makes working with complex options easier Open source tool Standard tool for security professionals 10 Types of Port Scans Ping scan Simplest method sends ICMP ECHO REQUEST to the destination(s) TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) Any response shows the target is up Example - nmap -sn 192.168.1.* 11 Normal TCP Handshake Client SYN Server Client SYN/ACK Server Client ACK Server After this, you are ready to send data 12 SYN Port Scan Client SYN Server Client SYN/ACK Server Client RST Server The server is ready, but the client decided not to complete the handshake Example - nmap -sS 192.168.1.* -reason 13 Types of Port Scans SYN scan Stealthy scan, because session handshakes are never completed That keeps it out of some log files Three states Closed Open Filtered Example - nmap -sS 192.168.1.* 14 Types of Port Scans Connect scan Completes the three-way handshake Not stealthy--appears in log files Three states Closed Open Filtered Example - nmap -sT 192.168.1.* -reason 15 Types of Port Scans NULL scan All the packet flags are turned off Two results: Closed ports reply with RST Open or filtered ports give no response Example - nmap -sN 192.168.1.* -reason 16 Types of Port Scans XMAS scan FIN, PSH and URG flags are set Works like a NULL scan – a closed port responds with an RST packet Example - nmap -sX 192.168.1.* -reason 17 Types of Port Scans FIN scan Only FIN flag is set Closed port responds with an RST packet Example - nmap -sF 192.168.1.* -reason 18 Windows Machines NULL, XMAS and FIN scans don't work on Windows machines Win 2000 Pro and Win Server 2003 shows all ports closed Win XP Pro all ports open/filtered See the NMAP tutorial https://nmap.org/bennieston-tutorial/ 19 Types of Port Scans (continued) ACK scan Used to get information about a firewall Stateful firewalls track connection and block unsolicited ACK packets Stateless firewalls just block incoming SYN packets, so you get a RST response Example - nmap -sA 192.168.1.* -reason 20 Types of Port Scans (continued) UDP scan Closed port responds with ICMP “Port Unreachable” message Rarely used Example - nmap -sU 192.168.1.* -reason 21 Types of Port Scans (continued) Nping Part of the Nmap suite Open-source tool for network packet generation, response analysis and response time measurement. Nping allows users to generate network packets of a wide range of protocols, letting them tune virtually any field of the protocol headers. Examples nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com nping --tcp -c 2 1.1.1.1 -p 100-102 22 Using Port-Scanning Tools Nmap (ZenMap GUI) Unicornscan NetScanTools Pro Nessus OpenVAS (or Greenbone Security Assistant) 23 Nmap OS Fingerprinting nmap -O 192.168.96.36 24 Nmap Service Fingerprinting nmap -sV 192.168.96.36 25 Nmap 26 The Matrix Reloaded Trinity uses Nmap Video at https://www.youtube.com/watch?v=0PxTA n4g20U 27 Online Nmap Scanning https://pentest-tools.com/networkvulnerability-scanning/tcp-port-scanneronline-nmap 28 Unicornscan Developed in 2004 for Linux & UNIX only Ideal for large networks Scans 65,535 ports in three to seven seconds Optimizes UDP scanning Alco can use TCP, ICMP, or IP Free from http://unicornscan.org/ 29 Unicornscan Scatter Connect feature – Off load scans to multiple servers 30 NetScanTools Pro Robust easy-to-use commercial tool Runs on Windows Types of tests Database vulnerabilities DHCP server discovery IP packets viewer Name server lookup OS fingerprinting http://www.netscantools.com 31 32 Nessus First released in 1998 as a free, open source remote security scanner tool Uses a client/server technology Can conduct tests from different locations Can use different OSs for client and network 2005 – Nessus 3 became a commercial product 33 Nessus (continued) Server Any *NIX platform Client Can be *NIX or Windows Functions much like a database server Ability to update security checks plug-ins Some plug-ins are considered dangerous 34 35 Nessus (continued) Finds services running on ports Finds vulnerability scanning associated with identified services Real-time Vulnerability Updates Web Application Scanning Mobile Device Detection Configuration Checks Compliance Checks (PCI, CIS, FDCC, NIST, etc.) Sensitive Data Searches SCADA Audits 36 37 OpenVAS (or Greenbone Security Assistant) OpenVAS Open-source fork of Nessus in 2005 Now branded as Greenbone Security Assistant Capable of updating security check plug-ins Security test programs (scripts) Performs complex queries while client interfaces with server Can also determine what vulnerabilities are associated with services 38 Conducting Ping Sweeps Ping sweeps Identify which IP addresses belong to active hosts Ping a range of IP addresses Problems Computers that are shut down cannot respond Networks may be configured to block ICMP Echo Requests Hardware and software firewalls may filter out ICMP traffic 39 FPing Ping multiple IP addresses simultaneously Command-line tool Input: multiple IP addresses To enter a range of addresses -g option Input file with addresses -f option See links http://fping.org/ - Latest Version http://fping.sourceforge.net/ 40 Fping To ping sweep a range of IP addresses without using an input file, use the command: fping –g BeginningIPaddress EndingIPaddress The –g parameter is used when no input file is available Example: fping –g 192.168.185.1 192.168.185.5 command returns the results shown on next slide 41 Fping on Ubuntu sudo apt-get install fping 42 Hping Used to bypass filtering devices Allows users to fragment and manipulate IP packets Powerful tool Supports many parameters (command options) including OS Fingerprinting See links www.hping.org/ https://en.wikipedia.org/wiki/Hping https://www.ethicalhacker.net/columns/gates/tutori al-hping2-basics No Longer in Development use Hping 2 or 3 43 hping2 on Ubuntu sudo apt-get install hping2 The command below sends three SYN packets to port 80 on the 147.144.1.2 server Response is SYN/ACK, as expected 44 45 46 47 Broadcast Addresses If you PING a broadcast address, that can create a lot of traffic In Class A, B, and C IP addresses normally the broadcast address ends in .255 But if your LAN is subnetted with a subnet mask like 255.255.255.192 (/26) There are other broadcast addresses ending in 63, 127, and 191 48 Broadcast Addresses Flooded Broadcast Workstation:~ wagnerj$ ping 255.255.255.255 PING 255.255.255.255 (255.255.255.255): 56 data bytes 64 bytes from 10.9.140.1: icmp_seq=0 ttl=255 time=1.805 ms 64 bytes from 10.9.143.200: icmp_seq=0 ttl=64 time=2.020 ms 64 bytes from 10.9.141.178: icmp_seq=0 ttl=64 time=2.188 ms 64 bytes from 10.9.143.173: icmp_seq=0 ttl=64 time=5.243 ms 64 bytes from 10.9.143.232: icmp_seq=0 ttl=64 time=79.445 ms 64 bytes from 10.9.143.154: icmp_seq=0 ttl=64 time=79.601 ms 64 bytes from 10.9.142.85: icmp_seq=0 ttl=64 time=79.998 ms 64 bytes from 10.9.143.134: icmp_seq=0 ttl=64 time=80.334 ms 64 bytes from 10.9.143.185: icmp_seq=0 ttl=64 time=80.742 ms 64 bytes from 10.9.143.157: icmp_seq=0 ttl=64 time=81.466 ms 64 bytes from 10.9.143.235: icmp_seq=0 ttl=64 time=85.078 ms 49 IP ADDRESS OF WORKSTATION = 10.9.142.15/22 Broadcast Addresses Directed Broadcast Workstation:~ wagnerj$ ping 10.9.143.255 PING 10.9.143.255 (10.9.143.255): 56 data bytes 64 bytes from 10.9.140.1: icmp_seq=0 ttl=255 time=5.387 ms 64 bytes from 10.9.143.200: icmp_seq=0 ttl=64 time=5.572 ms 64 bytes from 10.9.143.173: icmp_seq=0 ttl=64 time=5.735 ms 64 bytes from 10.9.141.178: icmp_seq=0 ttl=64 time=5.890 ms 64 bytes from 10.9.143.169: icmp_seq=0 ttl=64 time=209.499 ms 64 bytes from 10.9.142.46: icmp_seq=0 ttl=64 time=209.989 ms 64 bytes from 10.9.143.189: icmp_seq=0 ttl=64 time=210.008 ms 64 bytes from 10.9.143.194: icmp_seq=0 ttl=64 time=210.017 ms 64 bytes from 10.9.143.141: icmp_seq=0 ttl=64 time=210.025 ms 64 bytes from 10.9.143.160: icmp_seq=0 ttl=64 time=210.034 ms 64 bytes from 10.9.143.146: icmp_seq=0 ttl=64 time=210.049 ms 50 IP ADDRESS OF WORKSTATION = 10.9.142.15/22 Smurf Attack Pinging a broadcast address on an old network resulted in a lot of ping responses So just put the victim's IP address in the "From" field The victim is attacked by a flood of pings, none of them directly from you Modern routers don't forward broadcast packets, which prevents them from amplifying smurf attacks Windows and Ubuntu don't respond to broadcast PINGs See links https://en.wikipedia.org/wiki/Smurf_attack 51 Smurf Attack 52 Smurf Attack 53 Smurf Attack Mitigation techniques Configure individual hosts and routers not to respond to ICMP requests or broadcasts Configure routers not to forward packets directed to broadcast addresses. Network ingress filtering to reject the attacking packets on the basis of the forged source address. 54 Crafting IP Packets Packet components Source IP address Destination IP address Flags Crafting packets helps you obtain more information about a service 55 Crafting IP Packets Tools Scapy - http://www.secdev.org/projects/scapy/ Yersinia - http://www.yersinia.net/ Ostinato - http://ostinato.org/ Colasoft Packet Builder -http://www.colasoft.com/ Bit-Twist - http://bittwist.sourceforge.net/ Fping Hping 56