Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

- University of Windsor

advertisement 
Xmas Tree Scan
Detection with
Snort
Presented by:
Aqila Dissanayake
University of Windsor
dissanaa@uwindsor.ca
Olalekan Kadri
University of Windsor
kadrio@uwindsor.ca
Presentation Outline
•
•
•
•
•
•
•
•
•
•
Definition of Port Scan
History of Port Scanning
Well known Port Scanning Technique
Why Study Port Scanning Technique?
Ports
TCP And TCP flags
Xmas Tree Scan
Packet Design for Xmas Tree Scan
The Experiment
References
Port Scanning
• “A port scan is a method used by intruders to discover the
services running on a target machine” [1].
• By simply checking whether a given port is opened or
closed an attacker can determine whether to attack that
machine on that specific port or not.
• “For example, if the intruder finds that port 143 (the IMAP
port) is open; she may proceed to find out what version of
IMAP is running on the target machine. If the version is
vulnerable, she may be able to gain super user access to
the machine using an exploit” [1].
History of Port Scanning
• In the early days of computing port scanning was not widely used.
• Even after powerful port scanners such as the Network Mapper
(Nmap) came into use port scanning did not receive wide usage.
• The reason for this was that even with Nmap people needed root
privileges to construct and receive raw network packets that were
used to do port scanning on Unix/Linux systems. (Open source
software like Nmap first came into use in Linux based systems.)
• In those days people did not have their own Unix/Linux box; most
people had a shared shell account [2].
• These days not only is Nmap available for Windows systems,
computers are much cheaper than they used to be. So people can
use Nmap in their Windows box or use it in their own Linux box.
• Also, these days various scanning tools are widely available over
the internet and the internet itself has become much faster
because of increasing bandwidth.
• This has led to a tremendous increase in network activities
including port scanning.
• Search engines like Google only add fuel to the scenario by
providing a simple and easy way to look for tools to conduct
network reconnaissance and locate advanced knowledge about
network protocols and the internet which makes port scans much
more successful and stealthy.
• Nowadays port scans have become much easier to perform
because of various software tools available over the internet.
• One can simply download such a tool from the internet and run it
to scan whole networks in a matter of minutes.
The most well known port
scanning techniques
•
•
•
•
•
•
•
•
•
•
•
•
TCP connect scan
TCP SYN scan
TCP FIN scan
TCP null scan
TCP window scan
TCP ACK scan
TCP Maimon scan
Xmas tree scan
UDP scan
IP protocol scan
FTP bounce scan
Idle scan
Why study port scanning
techniques?
• Since port scanning techniques are used
to conduct reconnaissance in networks,
these can be considered as the early steps
an intruder takes before the actual attack.
• So,
if
we
can
catch
network
reconnaissance attacks, it will be much
easier to prevent the actual attack from
taking place.
Port
• “A software port is a virtual data connection that
can be used by programs to exchange data
directly, instead of going through a file or other
temporary storage location” [3].
• Examples are TCP and UDP ports which are used
to exchange data between computers on a
network.
• Port numbers are unique within a computer
system [4].
• A Port number is a 16-bit unsigned integer.
Therefore the number of available ports will be
2^16 which is 65536 ports or from port 0 to
65535.
•
Normally, ports can be divided into three
distinct categories. They are
– Well Known Ports – Port 0 – 1023 [4]
– Registered Ports – Port 1024 – 49151
[4]
– Dynamic and/or Private Ports – Port
49152 -65535 [4]
Well Known Ports
• “The Well Known Ports are assigned by the IANA and on most
systems can only be used by system (or root) processes or by
programs executed by privileged users” [5].
•
•
An attempt by an underprivileged user to open a port in the
range of 0 to 1023 will fail [4].
A list of commonly used well known ports are [7].
•
•
•
•
•
•
•
Port
Port
Port
Port
Port
Port
Port
20
21
22
23
25
53
80
– FTP, data
– FTP, control
– SSH
– Telnet
– SMTP
– DNS
- HTTP
TCP & TCP Flags
• “The Transmission Control Protocol (TCP) is one of the core
protocols of the internet protocol suite” [8].
•
“TCP is a connection-oriented, end-to-end reliable protocol
designed to fit into a layered hierarchy of protocols which
support multi-network applications” [9].
• In TCP 8 bits are allocated for flags.
• Most of the scanning techniques listed earlier in this
document make use of these flags to carry out port
scanning.
•
Mostly, each TCP based scan set these flags to different
values or combination of values in order to do the scanning.
•
Xmas
Tree
Scan
The Xmas tree scan exploits a subtle loophole in the TCP
RFC to differentiate between open and closed ports [2].
• “If the [destination] port state is CLOSED, an incoming
segment not containing a RST causes a RST to be sent in
response” [2].
• When scanning systems compliant with the TCP RFC text,
any packet not containing SYN, RST, or ACK bits will result
– in a returned RST if the port is closed
– and no response at all if the port is open [2].
•
“As long as none of those three bits are included, any
combination of the other three (FIN, PSH, and URG) are
OK” [2].
• Nmap exploits this with the Xmas tree scan.
Closed Port
• In a Xmas tree scan, if a RST packet is
received, the port is considered closed.
This is illustrated by the diagram below.
• Adapted from
http://www.networkuptime.com/nmap/page35.shtml
Open/Filtered Port
• A no response means it is open or filtered. The port is
marked filtered if an ICMP unreachable error (type 3, code
1, 2, 3, 9, 10, or 13) is received. This scenario of not
receiving a response is displayed below.
• Adapted from
http://www.networkuptime.com/nmap/page3-5.shtml
• “The key advantage to these scan types is that
they can sneak through certain non-stateful
firewalls and packet filtering routers” [2].
• Furthermore the Xmas tree scan is stealthier than
a regular SYN scan [2].
• Luckily though, intrusion detection products can
be configured to detect these types of
reconnaissance scans.
• Snort intrusion detection system will alert on a
Xmas tree scan which we tested.
• Since there are systems that do not follow RFC 793, some
systems send RST responses to the probes regardless of
whether the port is open or not [2].
• This will result in all ports being labeled as closed.
• This behavior is shown by Microsoft Windows and many
Cisco devices [2].
• However, this scan will work against most UNIX based
system [2].
• Also, these scans can't distinguish open ports from certain
filtered ones, leaving one with the response open or filtered
[2].
Packet Design for the Xmas
Tree Scan
• In the project we used Nmap to do the actual scan.
• But, the packets required for the Xmas tree scan be easily
constructed using a packet making tool such as CommView.
• A TCP packet contains certain flags which should be
activated to do a Xmas tree scan.
• A Xmas tree scan sends a TCP packet to a remote device
with the URG, PUSH, and FIN flags set [10].
• “This is called a Xmas tree scan because of the alternating
bits turned on and off in the flags byte (00101001), much
like the lights of a Christmas tree” [10].
• So in CommView we need to set the flags of a
TCP packet to match 00101001.
• CommView provides the packet information in
hexa-Decimal, so we needed to calculate the
hexa-decimal value of the binary value 00101001
which came to be 29.
Conducting the actual Xmas
Tree Scan
Packet Received Packets from CommView Rate (Packet/sec) Alerts
25983
10000
200
26022
10000
400
25349
10000
600
23159
10000
800
21268
10000
1000
12
11
12
8
6
14
12
Alerts
10
8
Series1
6
4
2
0
200
400
600
Rate (Packets/Sec)
800
1000
200 packets/s, 10000 total
400 packets/s, 10000 total
600 packets/s, 10000 total
800 packets/s, 10000 total
1000 packets/s, 10000 total
References
•
•
•
•
•
•
•
•
•
•
Network Probes Explained: Understanding Port Scans and Ping Sweeps, Linux
Journal, December 1st 2000, “http://www.linuxjournal.com/article/4234”
Port scanning techniques, Insecure.org, “http://insecure.org/nmap/man/man-portscanning-techniques.html”
Computer port, Wikipedia.com,
“http://en.wikipedia.org/wiki/Computer_port_%28software%29“
Port scanning, www.cs.wright.edu,
“http://www.cs.wright.edu/~pmateti/Courses/499/Probing/“
Port numbers, Iana.org, “http://www.iana.org/assignments/port-numbers”
Registered Port, Wikipedia.com, “http://en.wikipedia.org/wiki/Registered_port”
Well known IP ports , 0 through 999, www.networksorcery.com,
“http://www.networksorcery.com/enp/protocol/ip/ports00000.htm”
Transmission Control Protocol, Wikipedia.com,
“http://en.wikipedia.org/wiki/Transmission_Control_Protocol”
RFC 793, Faqs.org, “http://www.faqs.org/rfcs/rfc793.html”
Xmas tree scan, www.networkuptime.com,
“http://www.networkuptime.com/nmap/page3-5.shtml”
Related documents
Across 2. HTTP 4. TCP 10. ports used for specific applications like
Across 2. HTTP 4. TCP 10. ports used for specific applications like
Old MIDTERM EXAM for 154
Old MIDTERM EXAM for 154
Chapter 3
Chapter 3
11-1 scanning
11-1 scanning
port - Welcome to nob.cs.ucdavis.edu!
port - Welcome to nob.cs.ucdavis.edu!
Base Words - Tuesday night spelling
Base Words - Tuesday night spelling
KRRC MSPowerPoint Prop Template 2008
KRRC MSPowerPoint Prop Template 2008
Parallel Port Commands In Turing
Parallel Port Commands In Turing
Download
advertisement