CS4238: COMPUTER
SECURITY PRACTICE
Lecture 2: Reconnaissance and Scanning
Dr. Prasanna Karthik Vairam
School of Computing
© Copyright National University of Singapore. All Rights Reserved.
Phase 1: Reconnaissance
© Copyright National University of Singapore. All Rights Reserved.
Low-Tech Reconnaissance
• Dumpster diving
• Social engineering: exploiting the human element of a
computer system
– Fraud phone call (with spoofed caller ID), email spam,
phishing
– Countermeasures:
• Users must check the identity of the other end of the
communication
• Governments can set up a hotline number
• Governments can educate users
• Physical break-in
© Copyright National University of Singapore. All Rights Reserved.
Searching the Fine Web
• Google Hacking: using operators to search google.
– Use quotes for exact phrase: " ... "
– number ranges, e.g 1..10
– info: information about link
– site:[domain], link:[web page], intitle:[term(s)],
related:[site], cache:[page], filetype:[suffix],
not (-), plus (+)
– Complete List: https://ahrefs.com/blog/google-advancedsearch-operators/
© Copyright National University of Singapore. All Rights Reserved.
Searching the Fine Web
• What can you find?
• You can try the following searches:
– inurl:wp-login.php
– inurl:<domain-suffix>/[administrator|admin]
[password|user|login]
– intitle:"Index of"
– inurl:view/index.[shtml|html]
– inurl:viewer_index.[shtml|html]
© Copyright National University of Singapore. All Rights Reserved.
Searching the Fine Web
• More of these?
– Johnny Long’s books: “Google Hacking for Penetration
Testers”
– Google Hacking Database (GHDB) site:
https://www.exploit-db.com/google-hacking-database
– Also check the available categories,
e.g. “Files containing passwords”, …
© Copyright National University of Singapore. All Rights Reserved.
Searching the Fine Web
• Google phone book search:
– Service now retired
– Could have search terms:
• rphonebook, phonebook, ...
– Current alternatives:
www.zabasearch.com, …
• Other types of searches:
– TinEye (tineye.com): reverse image search
– Metagoofil: metadata of public documents
– LLMs? What could go wrong!
© Copyright National University of Singapore. All Rights Reserved.
Social Networks
• Not just Google – social networks contain information about
people/organizations
– LinkedIn
– Facebook
– Instagram
– Job sites
– ...
© Copyright National University of Singapore. All Rights Reserved.
Internet Archive
• The Internet may not forget
– Google cache: click the down arrow next to any returned
search-result entry
– Google images
– Internet Archive Wayback Machine
• http://archive.org/web/
– Advertisement Alert!:
– What is the solution? Privacy laws. How to implement
them? Work with me!
© Copyright National University of Singapore. All Rights Reserved.
From the Wayback Machine
© Copyright National University of Singapore. All Rights Reserved.
Whois Database
• Whois databases: a variety of data elements regarding the
assignment of domain names
• Important information about a site:
– Names: administrator, contact person
– Telephone numbers
– Emails
– Postal addresses
– Registration dates
– Name servers
• Access: whois command, who.is, www.whois.net
© Copyright National University of Singapore. All Rights Reserved.
Whois Caveats
• Information may not be accurate:
– Validation obligation on registrars
– Whois privacy/private registration
• Hide details behind proxy information
– Whois accuracy study: 2010-02-19
• 1,419 representative domain names
• 23% owner's correct name and physical address
• 29% with fake or dubious information
© Copyright National University of Singapore. All Rights Reserved.
Open Source Intelligence (OSINT)
• Derived from freely-accessible sources: public records,
information shared by organizations
• Benefit for attackers:
– Queries are not sent to the target domain directly
– Reconnaissance activities are not recorded in the target
domain’s log files
© Copyright National University of Singapore. All Rights Reserved.
Other Popular
Recon Tools (Kali Linux)
• Some other recon tools are available in Kali Linux
• Examples:
– theHarvester: look for email addresses
https://tools.kali.org/information-gathering/theharvester
– Maltego (https://www.paterva.com):
https://tools.kali.org/information-gathering/maltego-teeth
© Copyright National University of Singapore. All Rights Reserved.
Other Popular (Web-based) Recon Tools
• Numerous web-based recon tools are also available
• They issue various queries to obtain publicly available
information about the targets
• Some examples:
– Netcraft (https://www.netcraft.com)
– Centralops.net (https://centralops.net)
– Shodan (https://www.shodan.io): Search IoT devices
© Copyright National University of Singapore. All Rights Reserved.
New Age Sources
What is a Mobile Ad Stream?
• Mobile apps (especially free ones) often integrate advertising
SDKs (e.g., Google AdMob, Facebook Audience Network,
Unity Ads).
• These SDKs transmit metadata about the device and user to
ad networks in order to deliver targeted ads.
– Mobile App loads an Ad → Triggers real-time bidding
process (auction) → who wants to show them an ad, and
at what price to a user with geolocation x,y?”
– Takes few milliseconds to load + happens many times a
day.
© Copyright National University of Singapore. All Rights Reserved.
New Age Sources
• What Kind of Data Leaks?
– Device Identifiers: IMEI, IMSI, Advertising ID (IDFA/GAID).
– Location Data: GPS coordinates, Wi-Fi SSIDs, cell tower
info.
– Network Metadata: IP address, ASN, carrier details.
– App Usage: Which apps are installed or being used,
indirectly inferred from ad requests.
– User Profiling: Demographics, interests, browsing history
(when linked with cross-app tracking).
– Timing Patterns: When the device is active, frequency of
activity.
© Copyright National University of Singapore. All Rights Reserved.
17
New Age sources
• Mobile Ad Stream Recon Techniques
– Purchase from advertising exchanges (e.g., Google Ads,
The Trade Desk, InMobi).
– Purchase from Data brokers (e.g., cuebiq, venntel,
safegraph)
– Purchase from dark web
© Copyright National University of Singapore. All Rights Reserved.
18
New Age Sources
• LLMs and Adversarial prompting
© Copyright National University of Singapore. All Rights Reserved.
19
Output of Reconnaissance
• After the reconnaissance phase, attackers know:
– Telephone numbers
– Domain names
– IP addresses
– Servers
– Technical contact information
– People information
–…
© Copyright National University of Singapore. All Rights Reserved.
Phase 2: Scanning
© Copyright National University of Singapore. All Rights Reserved.
Getting Access to a Network
• War driving: finding wireless access points
– Approaches: active scanning, passive sniffing, forcing
deauthentication
– Defense: privacy in ESSID, wireless security protocols, VPN,
detection
• War dialing:
– Looking for modems in target networks
© Copyright National University of Singapore. All Rights Reserved.
Network Mapping
• To gain understanding of the topology of
the target network:
– Discover critical hosts, firewalls, and routers
• Network mapping tools
– Ping:
• Find live hosts
• Use ICMP echo request and echo reply packets
• Can also be done by nmap tool (with its host discovery feature
using “ping sweep” scanning option):
nmap -sP; or -sn (no port scan) in newer nmap
© Copyright National University of Singapore. All Rights Reserved.
Network Mapping
– Traceroute:
• What the hops are
• Exploit the property of IP’s TTL field and
ICMP time exceeded notification
Source: Skoudis &
Liston, Counter
Hack Reloaded
© Copyright National University of Singapore. All Rights Reserved.
Traceroute & Firewall: Review
• traceroute (UNIX):
• tracert (Windows):
• Firewalls usually blocks ICMP or unwelcome UDP!
© Copyright National University of Singapore. All Rights Reserved.
Example Results of Network Mapping
Source: Skoudis &
Liston, Counter
Hack Reloaded
© Copyright National University of Singapore. All Rights Reserved.
Defense Against Network Mapping
• Block unnecessary ICMP packets using firewall:
– To disable ping
• Filter ICMP Time Exceeded messages leaving a network:
– To hinder traceroute
© Copyright National University of Singapore. All Rights Reserved.
Port Scanners
• Now, an attacker already understands the addresses of live
systems and the target network’s topology
• What are the services running on the targets?
– Check for open TCP and UDP ports
– Each machine with a TCP/IP stack has 65,536 TCP ports and
65,536 UDP ports
– Ports are “doors” into each machine
• Port scanning: knocking at the doors
© Copyright National University of Singapore. All Rights Reserved.
Nmap ("Network Mapper")
• Nmap is a full featured port-scanning tool:
– Command-line tool, with GUI frontend
– Installation: sudo apt-get install nmap, zenmap
– Usage: nmap [Scan Type(s)] [Options] {target specification}
© Copyright National University of Singapore. All Rights Reserved.
Why so many options?
• Timing template T
• Stealth scan
types –s
• Entire network?
• Maybe not!
© Copyright National University of Singapore. All Rights Reserved.
• Reconnaissance
• Vulnerability info
Stealth
Information
Scope
Performance
• Timing
• Parallelism
• Rate Limiting
• Retries
Basic (Default) Scan
• Direct scan: TCP Connect
– Nmap: nmap -sT
– Default TCP scan type when SYN scan is not possible, i.e.
user does not have raw packet privileges
Source: Skoudis & Liston, Counter Hack Reloaded
© Copyright National University of Singapore. All Rights Reserved.
Issues with Basic Scan
• Tries to balance all 4 requirements!
• Issues with TCP Connect:
– Successful connections can be logged for analysis
– Unsuccessful connections can also be recorded.
• Repeated RST being sent from target towards attacker when port
is closed → signature
– Not Stealthy
© Copyright National University of Singapore. All Rights Reserved.
For Stealth: Scan options -s
• Stealthier scans:
– TCP SYN Scan (default in root, most popular): nmap -sS
– TCP ACK Scan: nmap -sA
• Can also bypass firewall that blocks incoming connections
• May use widely-accepted source port numbers: 80, 443, 20
Source: Skoudis &
Liston, Counter Hack
Reloaded
– TCP FIN (-sF), Xmas tree (-sX), Null Scans (-sN)
© Copyright National University of Singapore. All Rights Reserved.
For Stealth: Timing Option -T
• Different timing options for scanning rate
• nmap -T<0-5>: the higher is the faster
– 0: Paranoid
→ slowest
– 1: Sneaky
– 2: Polite
– 3: Normal (default)
– 4: Aggressive
– 5: Insane
→ fastest
© Copyright National University of Singapore. All Rights Reserved.
Nmap Output Options
• -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt
kIddi3, and Grepable format, respectively, to the given
filename
• --packet-trace:
Show all packets sent and received
• -v: Increase verbosity level (use -vv
or more for greater effect)
• --reason: Display the reason a port is
in a particular state
© Copyright National University of Singapore. All Rights Reserved.
Nmap in Action
Source:
https://nmap.org/book/synscan.htm
l
© Copyright National University of Singapore. All Rights Reserved.
Nmap in Action
Source:
https://nmap.org/book/synscan.htm
l
© Copyright National University of Singapore. All Rights Reserved.
For Information: Port status
• Nmap interprets a host’s response
• Different possible states: open, closed, filtered, unfiltered
(accessible but
can be open or closed)
Source:
https://nmap.org/book/synscan.html
© Copyright National University of Singapore. All Rights Reserved.
For Information: Active OS Fingerprinting
• Goal: to identify the OS of a target host
• Technique: send malformed network packets
– SYN packet to open port
– NULL packet to open port
– ACK packet to open port
–…
• RFCs do not specify how a system should respond to such
packets
• Command: nmap -O
© Copyright National University of Singapore. All Rights Reserved.
For Information: Service/Version
Detection
• A need to detect the service/version running on an open port
• Has a DB of software (version) → expected response. It can
check against this DB!
• Can correctly identify services using
non-standard port numbers
• Example: HTTP running on port 8000
• Command: nmap -sV
© Copyright National University of Singapore. All Rights Reserved.
For Information: Vulnerability Detection
• It can run scripts (to be covered later) to identify
vulnerabilities in a target.
• Available options: vuln, auth, exploit
• Example: identify an outdated version of Apache Tomcat →
vulnerabilities associated
© Copyright National University of Singapore. All Rights Reserved.
For Performance: Timing and perf options
• We have already seen the timing options with –T
• Performance options:
– --max-retires
– --scan-delay
– --max-scan-delay
– --exclude
– --top-ports
– Include IP address list (if available somehow)
© Copyright National University of Singapore. All Rights Reserved.
For Scope: Range limiting
• Target IP and port range:
– nmap 192.168.1.1-10 –p 22,80
• CIDR notation: nmap 192.168.1.0/24
• Target input list:
– Nmap –iL target.txt
• Exclude targets (already seen)
• Host discovery only: nmap -sn 192.168.1.0/24
© Copyright National University of Singapore. All Rights Reserved.
Defenses against Port Scanning
• Observe using wireshark.
• Close unnecessary open ports
– What ports are open?
• netstat –na | grep ”LISTENING”
• lsof –i
– Kill the program or stop the service
• Use advanced firewalls
– Stateful firewall or proxies
© Copyright National University of Singapore. All Rights Reserved.
Nmap Scripts
•
•
•
•
Nmap allows users to write NSE scripts in lua.
Portrule says when the script should run.
Action says what should be run.
Libraries:
– stdnse
– dns/ftp/smtp/http
– shortport
– json/xml/base64
– unpwdb, brute, vulns, openssl
• Lets see some examples: script1.nse and script2.nse
© Copyright National University of Singapore. All Rights Reserved.
Nmap Resources
• All about Nmap: https://nmap.org
• Free Web edition of “Nmap Network Scanning” book (only
half of the complete book):
https://nmap.org/book/toc.html
• “NMAP - A Stealth Port Scanner”:
https://nmap.org/bennieston-tutorial/
• “10 Nmap Commands Every Sysadmin Should Know”:
http://bencane.com/2013/02/25/10-nmap-commands-everysysadmin-should-know
• Common port number cheat sheet:
http://packetlife.net/media/library/23/common_ports.pdf
© Copyright National University of Singapore. All Rights Reserved.
Phase 3:
Vulnerability Scanning
© Copyright National University of Singapore. All Rights Reserved.
Progress Overview
• System attacks and defenses:
– Reconnaissance
– Scanning
– Automated vulnerability finding
– Automated exploitation
– Attacks to gain access, e.g., buffer overflow attacks and
defenses
© Copyright National University of Singapore. All Rights Reserved.
Attackers’ Knowledge
• So far, attackers have gained the following knowledge of a
target system:
– IP addresses of live hosts
– General network topology
– List of open ports of live hosts
– List of services and versions
– OS types of live hosts
– (Ports open through firewalls)
• Where is the exploitable vulnerability?
© Copyright National University of Singapore. All Rights Reserved.
Security Vulnerability
• Vulnerability:
“a weakness that can be exploited by an attacker to perform
unauthorized actions within a computer system”
• Exploitable vulnerability:
a vulnerability for which an exploit exists
• A vulnerability is assigned a reference no:
– CVE ID
– Bugtraq Id (BID): SecurityFocus (acquired by Symantec)
– Respective vendor’s reference ID
© Copyright National University of Singapore. All Rights Reserved.
Vulnerability & Exploit Databases
• Vulnerability databases:
– Common Vulnerabilities and Exposures
(https://cve.mitre.org/cve/search_cve_list.html):
maintained by Mitre Corporation
– Various vendor advisory databases
• Exploit databases:
– Shared exploits for PoC and educational purposes
– Exploit Database: https://www.exploit-db.com/
– Rapid7: https://www.rapid7.com/db
– SecurityFocus: https://www.securityfocus.com/
© Copyright National University of Singapore. All Rights Reserved.
Zero-day Vulnerability & Exploit
• A zero-day (0-day) vulnerability:
vulnerability that is unknown to those who would be
interested in mitigating it (including its vendor):
– "Day Zero“: the day on which the interested party
(i.e. the vendor of the targeted system) learns of
the vulnerability
– Up until that day, the vulnerability is known as
a zero-day vulnerability
• A zero-day exploit:
an exploit directed at a zero-day vulnerability
© Copyright National University of Singapore. All Rights Reserved.
Vulnerability Lifecycle
• A look at vulnerability lifecycle:
Source: http://resources.infosecinstitute.com/a-world-of-vulnerabilities
© Copyright National University of Singapore. All Rights Reserved.
CVSS
• Common Vulnerability Scoring System (CVSS):
– A free and open industry standard for assessing the
severity of vulnerabilities
– 3 metric groups: base, temporal, environmental
– Base metrics: produce a score from 0.0 to 10.0
• CVSS calculator:
– Produces the scores of 3 metric groups based on
your specified values of respective metric names
– Also gives you the “vector string” for your easy reference
– See: https://www.first.org/cvss/calculator/3.1
• Also read:
https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring
_System
© Copyright National University of Singapore. All Rights Reserved.
Vulnerability-Scanning Tools
• Vulnerability-scanning tools:
automate the process of connecting to
a target system and checking for vulnerabilities
• Types of vulnerabilities:
– Common configuration errors
– Default configuration weaknesses
– Well-known system vulnerabilities
© Copyright National University of Singapore. All Rights Reserved.
Vulnerability-Exposure Window
• A look at vulnerability lifecycle:
• When is a vulnerability scanner useful?
Source: http://resources.infosecinstitute.com/a-world-of-vulnerabilities
© Copyright National University of Singapore. All Rights Reserved.
A General Vulnerability Scanner
Source: Skoudis & Liston, Counter Hack
Reloaded
© Copyright National University of Singapore. All Rights Reserved.
Differences with AV
• Antivirus vs vulnerability scanner?
– Question: What are the differences?
– How do they differ in inspecting vulnerabilities?
– Some aspects to contrast:
Goal, scope of detection, monitoring agent, information
examined, reference data, output
© Copyright National University of Singapore. All Rights Reserved.
Available Vulnerability Scanners
• Commercial scanners:
– Harris Corporation's STAT Scanner
– ISS’s Internet Scanner: acquired by IBM in 2006
– GFI LANguard Network Security Scanner
– E-eye’s Retina Scanner
– Qualy’s QualysGuard (Qualys Cloud Platform)
– Nessus: very popular, a free version is available
• Free scanners:
– OpenVAS (www.openvas.org): a fork of older Nessus
– ATK (Attack Tool Kit)
© Copyright National University of Singapore. All Rights Reserved.
Nessus
• User can write his/her own vulnerability checks
• A large group of developers
• Also allows for credentialed and compliance checks
Source: Skoudis & Liston, Counter Hack
Reloaded
© Copyright National University of Singapore. All Rights Reserved.
Nmap for Vulnerability scanning
• You can also use nmap scripts for vulnerability scanning.
• Nmap Scripting Engine (NSE)
– Generic scripts
nmap --script vuln 192.168.1.10
– Targeted scripts
nmap --script http-vuln* -p80,443
192.168.1.10
© Copyright National University of Singapore. All Rights Reserved.
0
advertisement
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users